Alerting and tagging using a malware analysis platform for threat intelligence made actionable

ABSTRACT

Techniques for alerting and tagging using a malware analysis platform for threat intelligence made actionable are disclosed. In some embodiments, a system, process, and/or computer program product for alerting and tagging using a malware analysis platform for threat intelligence made actionable includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract artifacts associated with the log files; determining whether a tag matches any of the plurality of samples based on the artifacts; and performing an action based on whether the tag matches any of the plurality of samples.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1 is a functional diagram of an architecture of a malware analysisplatform for threat intelligence made actionable in accordance with someembodiments.

FIG. 2 is another functional diagram of an architecture of a malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments.

FIG. 3 is a functional diagram of an architecture of a malware analysisplatform for threat intelligence made actionable for ingestion andprocessing of results of automated analysis of malware samples inaccordance with some embodiments.

FIG. 4 is a flow diagram for performing a data ingestion process for themalware analysis platform for threat intelligence to update line countsmade actionable in accordance with some embodiments.

FIG. 5 is a functional diagram for ingestion and processing of resultsof automated analysis of malware samples to update line counts inaccordance with some embodiments.

FIG. 6 is a screen shot of a dashboard of an interface for the malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments.

FIGS. 7A-7B are screen shots of a search editor of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIG. 8 is a screen shot of a samples search view of a search editor ofan interface for the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments.

FIG. 9 is a screen shot of a sessions search view of a search editor ofan interface for the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments.

FIG. 10 is a screen shot of a statistics search view of a search editorof an interface for the malware analysis platform for threatintelligence made actionable in accordance with some embodiments.

FIGS. 11A-11B are screen shots of a domain, URL, and IP addressinformation search view of a search editor of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIG. 12 is a screen shot of an alerts screen of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIGS. 13A-C are screen shots of an alerts log screen of an interface forthe malware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIG. 14 is a screen shot of a tag detail screen of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIGS. 15A-D are screen shots of an interface for viewing and/orperforming actions based on artifacts utilizing the malware analysisplatform for threat intelligence made actionable in accordance with someembodiments.

FIG. 16 is a flow diagram for a process performed using the malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments.

FIG. 17 is another flow diagram for a process performed using themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIG. 18 is another flow diagram for a process performed using themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments.

FIG. 19 is a flow diagram for a tagging and alerting process performedusing the malware analysis platform for threat intelligence madeactionable in accordance with some embodiments.

FIG. 20 is another flow diagram for a tagging and alerting processperformed using the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a computer program product embodied ona computer readable storage medium; and/or a processor, such as aprocessor configured to execute instructions stored on and/or providedby a memory coupled to the processor. In this specification, theseimplementations, or any other form that the invention may take, may bereferred to as techniques. In general, the order of the steps ofdisclosed processes may be altered within the scope of the invention.Unless stated otherwise, a component such as a processor or a memorydescribed as being configured to perform a task may be implemented as ageneral component that is temporarily configured to perform the task ata given time or a specific component that is manufactured to perform thetask. As used herein, the term ‘processor’ refers to one or moredevices, circuits, and/or processing cores configured to process data,such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall rules or firewall policies, whichcan be triggered based on various criteria, such as described herein).

Network devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, intrusion prevention/detection,Data Loss Prevention (DLP), and/or other security functions), networkingfunctions (e.g., routing, Quality of Service (QoS), workload balancingof network related resources, and/or other networking functions), and/orother functions. For example, routing functions can be based on sourceinformation (e.g., IP address and port), destination information (e.g.,IP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent (e.g., next generation firewalls). In particular, certain nextgeneration firewalls are expanding the list of applications that thesefirewalls can automatically identify to thousands of applications.Examples of such next generation firewalls are commercially availablefrom Palo Alto Networks, Inc. located in Santa Clara, Calif. (e.g., PaloAlto Networks' PA Series firewalls). For example, Palo Alto Networks'next generation firewalls enable enterprises to identify and controlapplications, users, and content—not just ports, IP addresses, andpackets—using various identification technologies, such as thefollowing: APP-ID for accurate application identification, User-ID foruser identification (e.g., by user or user group), and Content-ID forreal-time content scanning (e.g., controls web surfing and limits dataand file transfers). These identification technologies allow enterprisesto securely enable application usage using business-relevant concepts,instead of following the traditional approach offered by traditionalport-blocking firewalls. Also, special purpose hardware for nextgeneration firewalls implemented, for example, as dedicated appliancesgenerally provide higher performance levels for application inspectionthan software executed on general purpose hardware (e.g., such assecurity appliances provided by Palo Alto Networks, Inc., which utilizededicated, function specific processing that is tightly integrated witha single-pass software engine to maximize network throughput whileminimizing latency).

Advanced or next generation firewalls can also be implemented usingvirtualized firewalls. Examples of such next generation firewalls arecommercially available from Palo Alto Networks, Inc. (e.g., Palo AltoNetworks' VM Series firewalls, which support various commercialvirtualized environments, including, for example, VMware® ESXi™ andNSX™, Citrix® Netscaler SDX™, KVM/OpenStack (Centos/RHEL, Ubuntu®), andAmazon Web Services (AWS)). For example, virtualized firewalls cansupport similar or the exact same next-generation firewall and advancedthreat prevention features available in physical form factor appliances,allowing enterprises to safely enable applications flowing into, andacross their private, public, and hybrid cloud computing environments.Automation features such as VM monitoring, dynamic address groups, and aREST-based API allow enterprises to proactively monitor VM changesdynamically feeding that context into security policies, therebyeliminating the policy lag that may occur when VMs change.

A significant challenge for security detection techniques is to identifythreats (e.g., malware, which refers to malicious programs, such asprograms attempting to perform malicious or undesired actions)attempting to use new exploits, such as zero-day threats that have notpreviously been identified (e.g., targeted and unknown threats). Forexample, a new zero-day threat and/or an advanced threat, such as anAdvanced Persistent Threat (APT) (e.g., technically advanced adversariesthat employ various techniques using malware to exploit vulnerabilitiesin systems and often using an external command and control (C&C) forcontinuously monitoring and extracting data from a specific target,often using stealthy, persistent methods that can evade traditionalsecurity measures, such as signature-based malware detection measures)that has not previously been identified (e.g., for which no signatureyet exists) can exploit new or unresolved vulnerabilities in anapplication or operation system of a device (e.g., a client device, aserver, an appliance, a networking device, a printer, and/or other typesof computing devices).

However, existing technology-based security approaches fail to providesolutions made actionable that can adequately address theabove-described problems. For example, existing approaches fail toprovide a malware analysis platform that can facilitate viewing,analyzing, and acting upon attributes (e.g., high-risk attributes)associated with malware.

In particular, sophisticated attackers are increasingly using targetedand new unknown variants of malware to avoid detection by existingtechnology-based security approaches (e.g., traditional securityproducts/solutions). For example, advanced security threats (e.g.,advanced cyber-attacks) are employing stealthy, persistent methods toevade traditional security measures (e.g., APTs). Skilled adversaries(e.g., attackers) demand that modern security teams re-evaluate theirbasic assumptions that traditional intrusion prevention and DLP systems,antivirus, and single-purpose sandbox appliances are up to the task ofdefeating advanced security threats, such as APTs and other techniquesutilized by insider threats to, for example, exfiltrate data fromenterprise networks.

Overview of Techniques for a Malware Analysis Platform for ThreatIntelligence Made Actionable

Thus, what are needed are new and improved techniques fortechnology-based security solutions that can provide a malware analysisplatform for threat intelligence made actionable that can adequatelyaddress the above-described problems and/or the various other problemsdescribed herein.

Accordingly, techniques for a malware analysis platform for threatintelligence made actionable are disclosed. In one embodiment, themalware analysis platform for threat intelligence made actionable isdisclosed that generates an enhanced view of malware analysis results.For example, the malware analysis platform can perform an ingestion andtransformation process to process a set of log files including (e.g.,selected/important) malware analysis results activity (e.g., such asstatic malware analysis results and/or dynamic malware analysis results,which can include mutex usages, network activities, registry changes,API calls, and/or various other selected/important malware analysisresults activity) to facilitate an enhanced view of malware analysisresults.

In addition, the significant amount and complex information that isgenerated by existing security analysis approaches presents a technicalchallenge to identify and/or determine the malicious activity a malwareis performing and/or to associate patterns or relationships betweenmalware samples and their features and/or behaviors. Accordingly,techniques for determining artifacts associated with malware, grayware,and benign samples are disclosed. In one embodiment, analysis ofartifacts can be performed based on malware sample analysis results togenerate an enhanced view of malware analysis results as furtherdescribed herein.

In one embodiment, the malware analysis platform generates an enhancedview of malware analysis results using artifacts (e.g., based onanalysis performed using line counting techniques, such as line countingor sub-line counting of log files of malware sample analysis results,such as further described below). For example, the malware analysisplatform can perform the above-described ingestion and transformationprocess to generate a set of log files including (e.g.,selected/important) malware analysis results activity (e.g., such asstatic malware analysis results and/or dynamic malware analysis results,which can include mutex usages, network activities, registry changes,API calls, and/or various other selected/important malware analysisresults activity).

For example, line/sub-line counts can be performed on the malwareanalysis sample results (e.g., log files) to provide a statistical viewof the malware analysis results data (e.g., across different enterprisenetworks of subscribers/customers to the malware analysis platformservice, categories of customers/industries, etc.), such as includingone or more of the following: (1) common actions/attributes that havebeen observed at least a threshold number of times in both benign andmalware samples; (2) (malicious/suspicious) actions/attributes (e.g.,suspicious artifacts) that have been observed at least a thresholdnumber of times in malware samples and only observed a relatively lowerthreshold number of times in benign samples; and (3) actions/attributes(e.g., highly-suspicious artifacts) that have been observed at least athreshold number of times in benign samples and only observed arelatively lower threshold number of times in malware samples. Thedisclosed techniques can be performed to identify risky/high-riskartifacts (e.g., suspicious and/or highly-suspicious artifacts), whichcan then be utilized to perform analysis and/or perform actions based onthese artifacts as further described below.

For example, the disclosed techniques can be performed to identifyhigh-risk artifacts (e.g., artifacts determined to be most likely to bedetected with malware as Suspicious or Highly Suspicious using varioustechniques disclosed herein) associated with lines/sub-lines in a logfile for a given malware sample (e.g., by determining thelines/sub-lines in the log file that are associated with a high malwarecount and/or a low benign count, such as further described herein). Inthis example, the suspicious lines/sub-lines can then also be utilizedto automatically generate a new signature for detecting malware for thatmalware sample to perform actions to block malware that includes theartifact(s) associated with these suspicious lines/sub-lines (e.g., byadding high-risk artifacts, such as high-risk artifacts for Domains, IPaddresses, and/or URLs, to be used with a firewall block list or tosupport a security information and event management (SIEM) solution). Inthis example, the disclosed techniques can also be performed as avalidation/proofing system to test and validate the new signature andexamine the line count results.

In some embodiments, a system, process, and/or computer program productfor a malware analysis platform for threat intelligence made actionableincludes receiving a plurality of samples for performing automatedmalware analysis to generate log files based on the automated malwareanalysis (e.g., including results from a dynamic and/or staticanalysis); processing the log files to determine artifacts associatedwith malware; and performing an action based on an artifact. Forexample, if the artifact is determined to be associated with one or moremalware samples based on the automated malware analysis, then theartifact can be deemed a high-risk artifact.

In one embodiment, a log file for a sample comprises one or more linesbased on the automated malware analysis results for the sample, and asystem, process, and/or computer program product for a malware analysisplatform for threat intelligence made actionable further includesidentifying distinct lines in the log file; and updating a line countfor each of the distinct lines based on line counting performed forpreviously processed log files.

In one embodiment, a log file for a sample comprises one or more linesbased on the automated malware analysis results for the sample, and asystem, process, and/or computer program product for a malware analysisplatform for threat intelligence made actionable further includesidentifying distinct lines in the log file; and determining whether anyof the distinct lines are suspicious.

In one embodiment, a system/process/computer program product for amalware analysis platform for threat intelligence made actionableincludes generating a human readable format of malware analysis resultlog files (e.g., replacing numeric identifiers and removingnot-interesting parameters, such as described herein); determining afirst occurrence of each distinct line in each log file (e.g., andremoving duplicate lines within the log file); and counting how manytimes each distinct line is observed in malware samples as compared withbenign samples. In one embodiment, the disclosed line countingtechniques are similarly applied to generate the sub-line counts, suchas further described herein. For example, a subset of each line can becounted, such as to implement sub-line/attribute/parameter counting(e.g., based on a registry name, mutex, file name, and/or otherattributes/parameters, rather than the entire/whole line). In oneembodiment, the disclosed line counting techniques are similarly appliedto generate the line/sub-line counts for a specified date range and/or aspecified set of samples, such as further described herein.

In some embodiments, a system, process, and/or computer program productfor tagging and alerting using a malware analysis platform for threatintelligence made actionable includes receiving a plurality of samplesfor performing automated malware analysis to generate log files based onthe automated malware analysis (e.g., including results from a dynamicand/or static analysis); processing the log files to extract artifactsassociated with the log files; determining whether a tag matches any ofthe plurality of samples based on the artifacts; and performing anaction based on whether a tag matches any of the plurality of samples.For example, if the artifact is determined to be associated with malwarebased on the automated malware analysis, then the artifact can be deemeda high-risk artifact. In one embodiment, a log file for a samplecomprises one or more lines based on the automated malware analysisresults for the sample.

In one embodiment, a system, process, and/or computer program productfor tagging and alerting using the malware analysis platform for threatintelligence made actionable further includes generating an alert basedon the determination that the tag matches at least one of the pluralityof samples. For example, an alert can be generated (e.g., for acustomer/subscriber of the platform) when there is a matching tag, andthere is network traffic for that sample in the monitored network (e.g.,the subscriber's enterprise network, or for an alert if the tag istriggered based on a public sample that was detected in anothersubscriber's enterprise network, such as another subscriber that is in asame industry category).

In one embodiment, a system, process, and/or computer program productfor tagging and alerting using the malware analysis platform for threatintelligence made actionable further includes configuring a tag based ona plurality of conditions associated with one or more artifacts; anddetermining whether the tag matches any of the plurality of samplesbased on the plurality of conditions associated with one or moreartifacts.

As an example, the disclosed techniques can be performed to allow usersto learn more information about samples that were found/detected ontheir network (e.g., enterprise network). Assume that a bank, ACME Bank,is a customer/subscriber of the malware analysis platform for threatintelligence made actionable, ACME Bank could then utilize the platformto determine that 40% of banking customers have found/detected that samemalware on their networks. As another example, ACME Bank could utilizethe platform to search analysis of malware samples results data that caninclude additional statistics based on automated analysis of the malwaresamples results data, which can facilitate identification of pervasivemalware, high-risk artifacts associated with malware, and/or revealconnections/associations between malware (e.g., shared high-riskartifacts or other connections/associations). As another example, ACMEBank could utilize the platform to prioritize security events in theirnetwork environment by distinguishing between threats or campaigns withglobal impact (e.g., based on alerting tags) and less impactful threatsthat do not pose a direct or immediate security risk (e.g., based oninformational tags). As such, ACME Bank could utilize the platform toquickly identify threats on their network, and to contextualize suchevents within an industry, global, and historical context (e.g.,utilizing a dashboard interface of the platform to view the top activityfor their network, for their industry, and on a global scale) and canalso perform actions based on the threat intelligence information, suchas further described below.

Accordingly, various techniques for providing a malware analysisplatform for threat intelligence made actionable are disclosed. Forexample, various technical solutions for providing a malware analysisplatform for threat intelligence made actionable are disclosed. As willbe apparent to one skilled in the art in view of the various techniquesand embodiments described herein, the various techniques describedherein for providing a malware analysis platform for threat intelligencemade actionable can similarly be performed using cloud-based securitysolutions, network device-based security solutions,host-based/agent-based security solutions, and/orvirtualized/software-defined networking (SDN)-based security solutions,such as further described below with respect to various embodiments.

A System Architecture for a Malware Analysis Platform for ThreatIntelligence Made Actionable

FIG. 1 is a functional diagram of an architecture of a malware analysisplatform for threat intelligence made actionable in accordance with someembodiments. As shown in FIG. 1, client devices 104A, 104B, and 104C arein communication with the Internet 106 via a network device 102 (e.g., adata appliance). In one embodiment, network device 102 includes afirewall 112 as shown (e.g., a firewall component that can beimplemented in software executed on a hardware processor of the networkdevice, or implemented in hardware at least in part, and/or acombination thereof; as an example, as a commercially available firewallsolution from Palo Alto Networks, Inc. or another security vendor can beutilized), which can be used for security for an enterprise network 120.In one embodiment, network device 102 and firewall 112 perform varioussecurity operations to protect enterprise network 120 and/or the client,server, and/or other devices within the perimeter of enterprise network120 (e.g., including providing malware samples to a cloud securityservice 130 for further analysis, such as further described below). Inone embodiment, network device 102 includes a data appliance (e.g., asecurity appliance), a gateway (e.g., a security gateway), a server(e.g., a server that executes security software including firewall 112),and/or some other network/security device, which, for example, can beimplemented using computing hardware, software,virtualized/software-defined networking (SDN)-based solutions, orvarious combinations thereof.

In one embodiment, one or more of client devices 104A-104C include ahost agent (HA) 114 as shown. For example, HA 114 can be implemented asa host-based firewall and/or an agent, such as a network/security agent,executed on the client/host device (e.g., implemented in software thatcan be executed on a hardware processor of the client/host device) thatcan perform various functions in coordination with network device 102,firewall 112, and/or cloud security service 130 to facilitate endpointprotection (e.g., including providing malware samples to cloud securityservice 130 for further analysis, such as further described below). Inan example implementation, HA 114 can be provided by a lightweight agent(e.g., a commercially available endpoint agent, such as the Palo AltoNetworks® Traps™ agent available from Palo Alto Networks, Inc., which isa highly scalable, lightweight agent for endpoint security, or anendpoint agent from another security vendor can be utilized) that can beexecuted on, for example, a variety of different client/host deviceplatforms (e.g., Microsoft® Windows® Operating System (OS) platformsand/or other platforms for clients and/or servers) to facilitateendpoint security in coordination with network device 102, firewall 112,and/or cloud security service 130, such as further described below.

For example, client devices 104A-C can include various computing devicesthat can access the Internet via wired and/or wireless communications,such as computers, laptops, tablets, smart phones, and/or various othertypes of computing devices with network communication capabilities. Asalso shown, servers 108A-C are in communication with the Internet 106.For example, a client device can access a service provided by a servervia the Internet, such as a web-related service (e.g., web site,cloud-based services, streaming services, or email services, such asweb-posting applications, email applications, peer-to-peer relatedservices, and/or any other applications or services that perform networkcommunications via the Internet).

As also shown in FIG. 1, cloud security service 130 includes a datastore for storing malware samples 132 and a platform for automatedanalysis of malware samples 134 and a malware analysis platform 136. Forexample, malware samples can be received from subscribers of cloudsecurity service 130, such as from firewall 112 of network device 102,HA 114 of client 104B, and/or other devices/components associated withthe subscribers of the cloud security service. The malware samples canbe, in some cases, files, PCAPs, and/or other data/content that isdeemed suspicious by, for example, the firewall and/or HA. Thesuspicious malware sample can then be automatically sent to the cloudsecurity service for further automated analysis. For example, automatedanalysis of the malware samples can include automated dynamic analysisand automated static analysis, such as further described herein (e.g.,the automated analysis of malware samples can be provided by acommercially available malware analysis service, such as the WildFire™cloud-based malware analysis environment that is a commerciallyavailable cloud security service provided by Palo Alto Networks, Inc.,which includes automated security analysis of malware samples as well assecurity expert analysis, or a similar solution provided by anothervendor can be utilized).

In an example implementation, the enterprise network is subscribed tothe cloud security service, and the network device can securelycommunicate with the cloud security service (e.g., using a commerciallyavailable cloud-based security service, such as provided by Palo AltoNetworks that provides API support via the WildFire API, such as forsubmission of malware samples (e.g., files and/or other data/content canbe submitted/uploaded for malware analysis; and after a submittedmalware sample is analyzed, other data can be provided as an availabledownload for further analysis, such as PCAP data and/or otherdata/content for further malware analysis). Another example is using aURL filtering subscription service (e.g., Palo Alto Networks PANdb URLfiltering subscription service or another commercially available URLfiltering subscription service) to submit one or more URLs (e.g., thesubmission of a URL, full or part of a web page, statistics/transformedversion of a web page, which can include a list of form field names,types, default values, parameters, etc.) for cloud-based, asynchronousanalysis. The results of the cloud-based, asynchronous analysis can thenbe provided back to the firewall and/or other network/filtering devicesand/or agents for possible responsive actions. In one embodiment, theresults of the cloud-based, asynchronous analysis can also be accessedusing malware analysis platform 136, such as further described below.

In one embodiment, malware analysis platform 136 provides a platform foraccessing results of the automated analysis of the malware samplesgenerated by automated analysis of malware samples 134. For example, asubscriber can access, analyze, and/or perform actions based on resultsof the malware sample analysis, which can include results for malwaresamples provided from the subscriber's enterprise network and/or fromother subscribers' enterprise networks (e.g., if such are associatedwith public or non-confidential samples). These and other aspects ofmalware analysis platform 136 will be further described below.

In one embodiment, malware analysis platform 136 is implemented as acloud service. For example, malware analysis platform 136 can beimplemented using an internal data center or can be implemented using acloud-based computing/storage data center service (e.g., such ascloud-based computing services provided by Amazon (Amazon WebServices®), Google, IBM, Microsoft, or other commercially availablecloud-based computing/storage services). In one embodiment, a customer(e.g., an enterprise with their own enterprise data center) canimplement the disclosed malware analysis system executed in their owndata center for their own malware data samples processed by theautomated malware analysis system (e.g., utilizing a WF-500 WildFire™appliance that is commercially available from Palo Alto Networks, Inc.,which can be deployed within a subscriber's enterprise network toimplement an on-premises WildFire™ private cloud, enablingcustomers/subscribers to analyze suspicious files in a sandboxenvironment without requiring the malware samples (e.g., files) to besent outside of their network to the WildFire™ public cloud).

Sample Analysis Categories

In one embodiment, firewalls with subscriptions are configured toforward unknown samples to cloud security service 130, where the sampleundergoes analysis in a sandbox environment. For example, staticanalysis can be performed based on properties of a sample that can bedetected and observed without executing the sample. Dynamic analysis canbe performed utilizing the sandbox environment to monitor activitiesassociated with opening and/or executing the sample in a sandboxenvironment (e.g., using one or more instrumented virtual executionenvironments).

Example file analysis information determined using a static fileanalysis and/or a dynamic file analysis can be grouped into thefollowing example categories: file property details, static analysisresults, and dynamic analysis results. In this example, the fileproperty details and the static analysis results can be determined basedon observations of the sample during the static analysis, and thedynamic analysis results can be determined based on observations of theactivities and behaviors seen when the sample was executed in thesandbox environment during the dynamic analysis.

In an example implementation, file property details can include one ormore of the following: a verdict (e.g., an assignment of the sample tomalware, grayware, or benign based on properties, behaviors, andactivities observed for the file or email link during static and/ordynamic analysis, such as using the disclosed techniques); a hashvalue(s) (e.g., SHA256, MD5, or other hash algorithm can be utilized togenerate unique cryptographic hashes of the sample); a type (e.g.,sample file type, such as email link, Adobe Flash File, PDF file, oranother file type); size (e.g., sample size in bytes); a created timestamp (e.g., a date and time that the sample was first forwarded oruploaded to the cloud security service); a finished time stamp (e.g., adate and time that the analysis of the sample was completed by the cloudsecurity service); a digital signature; a VirusTotal hit (e.g., a numberof times that this sample has been detected by VirtusTotal); and aMultiScanner hit (e.g., a number of other vendors that have alsoidentified this sample as malware using multiscanners (e.g., antivirusengines running concurrently)).

In an example implementation, dynamic analysis results can include oneor more of the following: observed behavior (e.g., lists behaviors seenfor the sample in the sandbox environment, such as whether the samplecreated or modified files, started a process, spawned new processes,modified the registry, or installed browser help objects (BHOs), inwhich each behavior can also be assigned a risk level of high, medium,low, or informational); connection activity (e.g., lists processes thataccessed other hosts on the network when the sample was executed in asandbox environment, in which information listed can include the processthat accessed other hosts on the network, the port through which theprocess connected, the protocol used for the connection, and the IPaddress and country of the host); DNS activity (e.g., lists DNS activityobserved when the sample was executed in the sandbox environment, whichcan include the hostname that was translated (Query), the resolveddomain name or IP address (Response), and the Type of DNS resourcerecord used to resolve the DNS query); file activity (e.g., lists filesthat showed activity as a result of the sample being executed in thesandbox environment; information for each artifact can include theparent process that showed activity, the action the parent processperformed, and the file which was altered (created, modified, deleted,etc.)); HTTP activity (e.g., lists the HTTP requests made when thesample was executed in the sandbox environment, in which information foreach artifact can include the domain to which the HTTP request was sent,the HTTP method used by the host, the URL for the resource beingrequested, and the string originating the request (User Agent column));Java API activity (e.g., lists Java runtime activity seen when thesample was executed in the sandbox environment); other API activity(e.g., lists API activity seen in the sandbox environment when thesample was executed, in which listed details can include the parentprocess that was active, the API calls made by the parent process, andthe process that was modified); Mutex activity (e.g., a mutex (mutualexclusion object) allows programs to share the same resource, though theresource can only be used separately; if the sample generates otherprogram threads when executed in the sandbox, the mutex created when theprograms start is listed along with the parent process); processactivity (e.g., lists processes that showed activity when the sample wasexecuted, in which information listed can include the parent processthat was active, the action that the parent process performed, and theprocess that was modified); registry activity (e.g., lists OS, such asMicrosoft Windows, registry settings and options that showed activitywhen the sample was executed in the sandbox, in which information listedcan include the parent process that was active, the registry method usedby the parent process (Action), and the parameters column lists theregistry key that was set, modified, or deleted); service activity(e.g., lists services that showed activity as a result of the samplebeing executed in the sandbox environment, in which information for eachservice activity can include the process that was active, the action theprocess performed, and the service that was created, modified, ordeleted); and user agent string fragments (e.g., lists the user agentheader for HTTP requests sent when the sample was executed in thesandbox environment).

In an example implementation, static analysis results can include one ormore of the following: suspicious file properties (e.g., lists high-riskcontent found during a pre-screening analysis of the sample; examples ofsuspicious file properties can include a file belonging to a knownmalware family or a file signed with a known malicious certificate, or afile with source code that contains dangerous shell commands); andproperties and activities observed for Android application package (APK)files (e.g., defined activity, defined intent filter, defined receiver,defined sensor, defined service, defined URL, requested permission,sensitive API call, suspicious API call, suspicious file, suspiciousstring, and/or other properties and activities). For example, staticanalysis results can also include compiler and compilation time of thesample, strings within the sample, icons, linked DLL files, a list ofimported API functions, a number of sections/segments, and/or variousother properties.

An example architecture of malware analysis platform 136 is shown inFIGS. 2 and 3 as further described below.

FIG. 2 is another functional diagram of an architecture of a malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments. As shown in FIG. 2, client devices, such asclient device 204, are in communication with the Internet 206 via anetwork device 202 (e.g., a data appliance). In one embodiment, networkdevice 202 includes a firewall 212 as shown (e.g., a firewall componentthat can be implemented in software executed on a hardware processor ofthe network device, or implemented in hardware at least in part, and/ora combination thereof; as an example, as a commercially availablefirewall solution from Palo Alto Networks, Inc. or another securityvendor can be utilized), which can be used for security for anenterprise network 220. In one embodiment, network device 202 andfirewall 212 perform various security operations to protect enterprisenetwork 220 and/or the client, server, and/or other devices within theperimeter of enterprise network 220 (e.g., including providing malwaresamples to a cloud security service 230 for further analysis, such asfurther described below). In one embodiment, network device 202 includesa data appliance (e.g., a security appliance), a gateway (e.g., asecurity gateway), a server (e.g., a server that executes securitysoftware including firewall 212), and/or some other network/securitydevice, which, for example, can be implemented using computing hardware,software, virtualized/software-defined networking (SDN)-based solutions,or various combinations thereof.

As also shown in FIG. 2, cloud security service 230 includes a datastore for storing malware samples 232 and a platform for automatedanalysis of malware samples 234 and a malware analysis platform 236. Forexample, malware samples can be received from subscribers of cloudsecurity service 230, such as from firewall 212 of network device 202and/or other devices/components associated with the subscribers of thecloud security service. The malware samples can be, in some cases,files, PCAPs, and/or other data/content that is deemed suspicious by,for example, the firewall and/or the HA. The suspicious malware samplecan then be automatically sent to the cloud security service for furtherautomated analysis. For example, automated analysis of the malwaresamples can include automated dynamic analysis and automated staticanalysis, such as further described herein (e.g., the automated analysisof malware samples can be provided by a commercially available malwareanalysis service, such as the WildFire™ cloud-based malware analysisenvironment that is a commercially available cloud security serviceprovided by Palo Alto Networks, Inc., which includes automated securityanalysis of malware samples as well as security expert analysis, or asimilar solution provided by another vendor can be utilized).

In one embodiment, cloud security service 230 receives malware samplesfrom a subscriber(s) of the cloud security service as shown at 250,which can be stored in malware samples data store 232 (e.g., includingmeta data associated with each of the malware samples, such as sessiontable data that can include source, destination, and protocol data formalware samples sent from a firewall). The malware samples are sent toplatform for automated analysis of malware samples 234 for processing asshown at 252. Platform for automated analysis of malware samples 234logs results of the automated analysis of the malware samples as shownat 254, which can be stored in a data store for results of automatedanalysis of malware samples 244 (e.g., storing results of automatedanalysis of malware samples as log files). Results of automated analysisof malware samples 244 are ingested (e.g., periodically and/or on demandto ingest and process the log files of results of automated analysis ofmalware samples) by malware analysis platform 236 as shown at 256. Asalso shown, an interface for malware analysis platform 246 provides auser interface (e.g., a graphical user interface (GUI) or another typeof user interface (UI)) that facilitates programmatic and/or end userinterface access to malware analysis platform 236, such as furtherdescribed below. For example, the malware analysis platform includes aninterface (e.g., a graphical user interface (GUI)) and/or a programmaticinterface (e.g., via an application programming interface (API)) thatfacilitates subscriber/user access to the malware analysis platform forviewing, analyzing, and/or performing actions based on the security dataand results provided by the malware analysis platform.

For example, using the disclosed line counting techniques, the interfacefor the malware analysis platform provides a user interface that can beutilized to show logs of a selected malware sample and highlight themost suspicious lines in the log (e.g., lines with high malwarecount/low benign count). As another example, using the disclosed linecounting techniques, a new signature can be automatically generatedusing the most suspicious lines in the log (e.g., lines with highmalware count/low benign count), and the system can validate/test thenew signature and examine the line counts based on that automatedtesting. These and other examples are facilitated by the disclosed linecounting techniques to provide for enhanced threat intelligence usingthe malware analysis platform. As yet another example, using thedisclosed line counting techniques, the interface for the malwareanalysis platform provides a user interface that can be utilized toselect an artifact(s) (e.g., high-risk artifacts, such as suspiciousand/or highly-suspicious artifacts as described herein) to be used witha firewall block list that can be exported using interface for malwareanalysis platform 246 of cloud security service 230 and then importedand implemented for processing network traffic on enterprise network 220using firewall 212 of network device 202 (e.g., and/or using HA 114 asshown in FIG. 1) or to support a security information and eventmanagement (SIEM) solution.

An example architecture for ingestion of the results of the automatedanalysis of the malware samples is shown in FIG. 3 as further describedbelow.

A System Architecture for Ingestion of Results of Automated Analysis ofMalware Samples

FIG. 3 is a functional diagram of an architecture of a malware analysisplatform for threat intelligence made actionable for ingestion andprocessing of results of automated analysis of malware samples inaccordance with some embodiments. As shown in FIG. 3, an ingestionarchitecture 302 for ingestion and processing of results of automatedanalysis of malware samples to facilitate threat intelligence isprovided. For example, the system architecture described above withrespect to FIG. 2 can implement the disclosed live ingestionarchitecture 302 to ingest (e.g., periodically and/or on demand) andprocess results of automated analysis of malware samples 244 generatedby malware analysis platform 236 as shown at 256 in FIG. 2.

In one embodiment, ingestion architecture 302 is implemented using apipeline of software programs executing over a distributed set ofsystems to ingest and process results of automated analysis of malwaresamples generated by the malware analysis platform to facilitate threatintelligence made actionable. For example, the results of automatedanalysis of malware samples generated by the malware analysis platformcan be ingested to determine data of interest (e.g., relationships ofmalware samples, trends in malware samples, and/or other data ofinterest) based on the ingested and processed results of the malwareanalysis platform (e.g., as similarly described above, the malwareanalysis platform can include various malware sample (static/dynamic)analysis and/or URL filtering services). The results of the ingested andprocessed results of automated analysis of malware samples generated bythe malware analysis platform can be indexed to facilitate search accessfor programmatic/user interface access to the malware analysis platform,such as further described below (e.g., published into an elastic searchto facilitate search and analytics). The results of the ingested andprocessed results of automated analysis of malware samples generated bythe malware analysis platform can also implement various analytics-basedprocessing and programmatic/user interface access, such as furtherdescribed below.

Overview of an Ingestion Architecture

In one embodiment, the system architecture as shown in FIG. 3illustrates an overall view of an ingestion architecture. In oneembodiment, ingestion architecture 302 is implemented using variouscomponents including a messaging broker (e.g., RabbitMQ, Kafka, ZeroMQ,or another open source or commercially available messaging broker), arelational database (e.g., MySQL or another open source or commerciallyavailable database, such as a relational database), a search engine(e.g., ElasticSearch, Lucene, Solr, or another open source orcommercially available full-text (free form, unstructured) searchengine, where the gleaned data ingestion of results of automatedanalysis of malware samples can be processed to facilitate user accessand presentation), a non-relational database (e.g., Apache HBase,Cassandra, MangoDB, or another open source or commercially availabledatabase, such as a non-relational database), and other components asfurther described below. In one embodiment, the components of ingestionarchitecture 302 can reside and/or be executed on the same physicalmachine. In one embodiment, the components of ingestion architecture 302(e.g., and by design) can be deployed/distributed across a network ofdistinct physical machines/servers (e.g., CPU and memory bind the numberof components running on any one single machine). In an exampleimplementation, the disclosed data ingestion pipeline can be implementedusing various open source and/or commercially available components suchas described above and coded in various programming languages, such asPython, Java, and/or other programming languages.

Referring to FIG. 3, in this example implementation, a deployment of adistributed, live ingestion system for the malware analysis systeminvolves the following programmed physical machines: a MySQL databaseserver 334, an HBase server cluster 330, and a Rabbit MQ (RMQ) cluster316 (e.g., three machines, in which Rabbit1 is a primary and executesall the producers and 50 consumers, and Rabbit 2, and 3 are secondariesfor high availability (HA) and each executes a set of 50 consumers)(e.g., this example implementation can provide for a highly scalabledata ingestion pipeline capable of processing, for example, more thanfour million samples per day and more than eight million sessions perday performed using an internal data center with server class hardwareincluding, in this example implementation, 30 machines to executevarious functions/roles, such as MySQL, RabbitMQ producer and consumers,middleware, and the front-end as described herein; or cloudcomputing/storage services can be utilized as similarly describedabove). In this example, Rabbit MQ and SQL databases can be deployed inclusters to reduce a single point of failure and to facilitate a highavailability (HA) architecture for the live ingestion system. AJSON-style deployment configuration file 314 is loaded by each liveingestion component, which can provide data of where and how to accessthe RMQ and ES databases.

In one embodiment, a producer (ES, HBase, HDFS) 308 sources its datafrom various SQL databases shown as malware analysis result databases(primary) 304 and replica databases (secondary) 306, to glean malwaresample, task, and session data. Producer 308 then pushes the data toRabbit MQ (RMQ) 316 for consumption by other components of the liveingestion system. In this example, the consumers include but are notlimited to the following: HBase to facilitate map/reduce (M/R) jobs(e.g., HBase can be utilized to implement a key, value data database,such as for storing session data and malware analysis results data(including line counts determined using the disclosed line countingtechniques), such as further described below); ElasticSearch (ES), shownas ElasticSearch 332, to provide a back-end to the UI data source; andHadoop Distributed File System (HDFS) to provide a log file storage andcompatible format for M/R. Each consumer of that data can have adedicated producer process that pulls this information. In this exampleimplementation, there is one producer associated due to thecheckpointing methodology producers use to identify a last point ofprocessing. Each consumer for a component, such as ES consumers, canhave multiple instances executing independently from one another (e.g.,and are only bound by the performance of the receiving system such asHBase and ES, as well as SQL DBs to achieve other tasks, such astagging). Although the data is typically the same in most situations(e.g., ES and HBase are examples), in this implementation, a designchoice of generating such data from producers separately rather thanusing a point to multipoint model can ensure that the slowest of theconsumers does not starve/delay the other components.

In one embodiment, a backend of the live ingestion system is architectedto process and massage the data to reduce a load on the UI andmiddleware that act as a simpler presentation layer of information. Assuch, in this example implementation, any changes in how the data isinterpreted means that a re-seed of all the data into the correspondingcomponents is performed to ensure correctness (e.g., and utilize M/R,shown as MapReduce 338, to ingest data in bulk for efficient processingof the re-seeded data and/or other bulk data ingestions).

In an example implementation, the data that is collected by producers308 can be segmented into the following buckets: sample and its tasks,sessions, and multiscanner. The data can be collected in two forms: datacan be collected by finish time; and another producer for the same setof data can monitor for update time and can then re-ingest that data.The effort can be repeated for the interested recipients, including thefollowing producers: HBase, HDFS, and ES. This results in nineproducers, as follows: HBASE for sample/task by finish and update time;HDFS for sample/task by finish time; and ES, six producers for each datatype by finish and update time. In another example implementation, afeed of finished/analyzed samples is received from the automatedanalysis of malware samples (e.g., the WildFire™ cloud-based malwareanalysis environment).

Sample and Tasks

In an example implementation, to remove the probability of missing tasksfor samples as they were historically generated separately, the effortcan be combined into one where the system can first query for samplesthat are completed from a processing perspective (finish_date). Thefinish_date is a reliable indicator that no new tasks will come down thepipeline resulting in missed tasks. If a new task is generated (e.g.,which is generally a low probability), the sample's update_date can bemodified, which can then be consumed by a dedicated sample/task producerthat re-processes the sample and all its tasks by update_date.

Checkpointing

In an example implementation, each producer can cache its lastcheckpoint of what it processed by a relevant ID and data into a filestored on the machine on which it is executing, such as shown at 310 inFIG. 3. For example, this approach facilitates executing multipleproducers on different machines to start from different checkpoints. Inanother example implementation, checkpointing can be implemented usingMySQL (e.g., this approach facilitates portability across machines bydefining in a global configuration file a unique table name for eachproducer).

Sample Data

In an example implementation, sample fields that can be collected foreach malware sample from a malware sample table (e.g., unless otherwisespecified) can include one or more of the following: mid, md5, sha1,sha256, platform, type, family, description, create date, update date,source, file name, file type, size, analysis, malware, digital signer,vt_hit, finish date, and generic (e.g., derived from thesample_filetype_desc which is used in collecting sample behavior data,which may not be sent to consumers).

Malware Analysis

In an example implementation, the automated analysis of malware samplescan publish a 0, 1, or 2 for each sample indicating that the malwaresample is either benign, malware, or grayware respectively. In anotherexample implementation, the automated analysis of malware samples canpublish a distinct value for each sample indicating that the malwaresample is either benign, malware, grayware, and/or other categorizationsbased on the malware analysis. For example, when the malware sample issent, the original malware verdict and the final malware verdict canboth be published (e.g., HBase can utilize this knowledge for itsanalytics, while ES can store the final verdict).

Public/Private State of a Sample

In an example implementation, the automated analysis of malware samplescan indicate whether the malware sample is public or private (e.g., somecustomers may allow their malware sample(s) to be deemed public whileothers may not and/or such can be configured on a sample-by-sample basisas well as a customer-by-customer basis).

If there is no field or configured value for a given malware sample andresult of the analysis of that malware sample from the automatedanalysis of malware samples to indicate whether the sample should betreated as public or private, then such can be configured on acustomer-by-customer basis (e.g., to ensure that one customer's data isnot shown to another customer unless the sample is considered public).For example, a sample can be deemed private unless the followingcriteria is met: the malware sample exists in other public malware datacollections (e.g., if the virustotal_hit>=0, it is public); and if themalware sample is not associated with a private source.

Tasks for a Sample

In an example implementation, task fields that can be collected for eachtask from a task table (e.g., unless otherwise specified) and pushed upalong with sample data can include one or more of the following: taskID, file name, URL, md5, submitted time, start time, finish time,status, VM_ID, score, family, summary, report, and VM_platform table(e.g., including a platform ID, description, static, and malware).

Malware Sample Reports Based on Static Analysis

In an example implementation, a report is provided for malware samplesthat were analyzed based on static analysis techniques by the automatedanalysis of malware samples. For example, the report can be an XML file(e.g., compressed and hex encoded that indicates the results of thestatic analysis, such as using a PDF static analyzer, DOC/CDF staticanalyzer, Java/JAR static analyzer, Microsoft Office Open XML staticanalyzer, Adobe Flash static analyzer, Android static analyzer, iOSstatic analyzer, or another static analyzer).

Malware Sample Reports Based on Dynamic Analysis: Behavior Data

In an example implementation, a report is provided for malware samplesthat were analyzed based on dynamic analysis techniques by the automatedanalysis of malware samples (e.g., executing/opening the malware samplesin an instrumented virtual machine (VM) environment, which can beperformed in one or more OS/version environments, such as a MicrosoftWindows XP operating system environment, a Microsoft Windows 7×64 SP1operating system environment, and/or other OS/version environments, andmonitoring the behavior for a period of time, such as 30 seconds to fiveminutes or some other time interval or until an event is detected, suchas detection of malware behavior(s)). For example, each task can haveinteresting behavior identified during a dynamic analysis phaseperformed by the automated analysis of the malware samples that can beconveyed to the user (e.g., the behaviors can be collected based on atask_id from a behavior table and fetch the following fields to send).Example fields that can be extracted from such a dynamic analysis phaseof the malware samples (e.g., from the behavior table) can include oneor more of the following: ID, type, description, risk, category,details, and score.

Session Data

In an example implementation, there are two types of producers forsession data. A first type of producer for session data is driven by theES consumer: once it ingests a sample, it stores a hash of the sample(e.g., using SHA or another hash algorithm) in a sample_ready table, andthe session producer can query that table and publish all sessions forthat hash value (e.g., if sessions are processed first, and then thesample is received, then the sessions can be reprocessed to generatealerts). A second type of producer uses dates and session IDs ascheckpoints to process sessions as they come along in the automatedanalysis of malware samples system (e.g., if the sample has already beenprocessed, then the sessions can be processed to generate alerts). Thefollowing fields can be collected for each session from the sessiontable including one or more of the following: id, sha256, create time,source IP, source port, destination IP, destination port, file URL, filename, device ID, user name, app, vsys, malware, host name, URI, devicehost name, session ID, and sample table.

Multiscanner Data

In one embodiment, one or more producers are provided that producemalware analysis data from one or more malware scanners. For example,malware scanner data can include dynamic analysis malware scannerresults data and static analysis malware scanner results. As anotherexample, malware scanner data can also include malware analysis resultsdata from one or more third-party sources, such as commerciallyavailable or publicly available/open malware analysis data sources(e.g., third-party feeds including closed and/or open-source threatintelligence feeds). Examples of third party, commercially available orpublicly available/open malware analysis data sources include CyberThreat Alliance, Defense Industrial Base Cyber Security InformationAssurance (DIB CS/IA), Financial Services Information Sharing andAnalysis Center (FS-ISAC), and others.

In one embodiment, one or more producers are provided that producemalware analysis data from the automated analysis of malware samples(e.g., dynamic and/or static analysis results), which can be stored in adatabase, such as malware analysis result databases (primary) 304 andreplica databases (secondary) 306 as shown in FIG. 3. In an exampleimplementation, a dedicated producer exists to process the variousfields from the malware analysis result database, such as the followingfields in a malware sample analysis table: virustotal_hit(sample_analysis), and multiscan_hit (sample_analysis). This informationcan be checkpointed by update_time and sample_analysis table ID toensure that the latest information is processed.

RabbitMQ Processing from the Producers

In an example implementation, RabbitMQ 316 includes multiple queues forlive ingestion, including a queue for each of the producers 308,including: ES, HBase, and HDFS. The queue limits can be defined by theproducer configuration and the physical limit of the queues is bound bydisk and memory of a given physical machine. For example, rate limitingconfiguration and data production techniques can also be implemented toreduce/avoid starvation due to a high volume of session messages andrate limiting.

Consumers

In an example implementation, HBase consumer 322 and HDFS consumer 328can be implemented to ingest data published by their respectiveproducers, including from RabbitMQ 316 and log files 326 as shown, andpush it into their corresponding components, HBase 330 and log storage336, respectively. Additional processing can be performed for ESconsumer 324 to consume data from the ES producer. For example, logparsing can be performed to glean interesting data that can be utilizedfor presentation to a user and further analytics for threat intelligenceas further described below, and alerting, tagging, and additionalqueries that take place on the consumer side for sample and session datadue to an ability to parallelize the processing relative to theproducer.

In this example implementation, in order to keep up with an incomingrate of data, running 128 ES consumers over several machines for ElasticSearch, with up to 32 per machine, can be utilized to perform thedisclosed live ingestion techniques when live ingestion is processingolder data and needs to catch up quickly, and 96 ES consumers cansuffice when it is caught up and is just processing incoming data fromthe ES producer(s). For HBase, five instances of the HBase consumers cansuffice when live ingestion is caught up and is just processing incomingdata from the HBase producer(s); otherwise, 16 instances of the HBaseconsumers can be executed to catch up when it is processing older datafrom the HBase producer(s).

Elastic Search

In an example implementation, to facilitate tagging session and sampledata for alerts, the consumer can interface with a MySQL database 334 tofacilitate this functionality. In addition, to remove the bottleneck ofone producer with the ability to execute multiple consumers, readqueries are relatively cheap and can be parallelized to improve overallingestion performance. For example, the ES consumer can loop throughthree sub consumers: sample/task, MultiScanner (MS), and sessionconsumers. Multiple consumers can run on the same machine only bound byCPU and Memory. Each consumer can read messages from RMQ 316 and storethem locally. The consumers can process messages in batches (e.g., tenmessages at a time or some other number of messages).

Task Data

In an example implementation, a bulk of the ingestion intelligence lieswithin the task data parsing. The fields produced by the producer can beingested as is and embedded in a task document. Example fields embeddedin ES can include one or more of the following: task ID, platform,malware, behavior, JAPI, HTTP, DNS, connection, process, file, registry,mutex, service, information, miscellaneous, user agent, APK definedactivity, APK defined service, APK defined intent filter, APK definedreceiver, APK requested permission, APK sensitive API call, APK definedsensor, APK embedded URL, APK suspicious string, APK suspicious APIcall, APK suspicious file, and summary.

Index the Consumed ES Data

In one embodiment, the consumed ES data is indexed to facilitate asearchable set of ES data. In an example implementation, the consumed ESdata can be indexed and searchable after being processed for each task.

Log File Parsing

In one embodiment, the malware sample analysis data can be generated aslog files (e.g., the log files can include lines in the file withdifferent meta data and/or results of the automated analysis related tothe malware sample, or another data format can be utilized).

In an example implementation, log parsing is performed for each task fora sample. For example, it can be provided the following information:malware sample's SHA; task ID; sample's MD5 (e.g., used for validation);platform that the task ran on (e.g., OS/version of the platform of thesandbox environment, such as Windows XP or Windows 7, to determine how alog file should be parsed); a file type associated with the sample; alist of log files copied over for that sample; and/or a path of the logfile location. A task can have various log files for parsing (e.g.,using a log parser process that is configured to parse each type of logfile, which are raw log files from the automated malware analysis of asample(s) that can be processed using a log parser to generate processedlog files for each type of log file that can be consumed by the malwareanalysis system using the disclosed techniques), such as one or more ofthe following types of log files: Java API (JAPI) log, event log, APIlog, and XML report. For example, the log file parsing can be configuredto maintain much of the original information (e.g., when a line, such asa mutex line, registry line, file line, connections line, process line,information line, miscellaneous line, and/or another type of line isbroken down into fields, preserve as much of the original information,annotating obscure ones and removing distracting elements such as memoryaddresses that can vary from sample run to sample run); obfuscateelements that can assist a malware developer to attempt to reverseengineer and defeat the malware analysis system; improve userreadability by removing non-essential fields and mapping obscure fieldsto well-known descriptors; preserve as much of the numbers that occur ina line as possible with the exception of process IDs (PIDs) and memoryaddresses to improve readability for researchers (e.g., PIDs can bemapped to process names such as using a dictionary mapping for such anoperation, and memory addresses can be removed, but if a file or a mutexonly consists of numbers as a name, it can be preserved); and/or removenon-ASCII characters that can break live ingestions and the third partytools it uses.

Example excerpts from raw log files are provided below, includingexample excerpts from the following types of log files: a raw event log,a raw API log, and a raw XML, report. As described above and furtherdescribed herein, the log file parsing operations can be performed toprocess each of these raw log files to generate processed log files thatcan be consumed by the malware analysis platform using the disclosedtechniques.

Below is an example excerpt from a raw log file for monitored APIactivities of a sample during the automated analysis of the sample,which is an example excerpt of a raw API log.

   info,0x00011083,md5:F0A8D5B10B0B5440CBC970FA1B106B35   info,0x00011084,version, Feb 06, 2013   info,0x00011086,mac_address,00:25:64:D5:85:4D   info,0x0001108c,ip_address,192.168.180.87   tree,0x000110b0,0,[System Process],0    tree,0x000110b1,4,System,0   tree,0x000110b2,320,smss.exe,4    tree,0x000110b3,432,csrss.exe,320   tree,0x000110b4,456,winlogon.exe,320   tree,0x000110b5,556,services.exe,456   tree,0x000110b6,568,lsass.exe,456   tree,0x000110b6,736,svchost.exe,556   tree,0x000110b7,800,svchost.exe,556   tree,0x000110b8,908,svchost.exe,556   tree,0x000110b9,996,svchost.exe,556   tree,0x000110ba,1020,svchost.exe,556   tree,0x000110bb,1508,explorer.exe,1480   tree,0x000110bc,1608,reader_sl.exe,1508   tree,0x000110bd,1624,cmd.exe,1508   tree,0x000110be,1952,rundll32.exe,1508   tree,0x000110bf,184,wmiprvse.exe,736   tree,0x000110c0,1104,cmd.exe,1624   tree,0x000110c0,1324,explorer.exe,1624   process,0x00011707,1324,hash,C:\program             files\internetexplorer\iexplore.exe,55794B97A7FAABD2910873C85274F409,814A37D89A79AA3975308E723BC1A3A67360323B7E3584DE00896FE7C59BBB8E   process,0x00011715,1324,CreateProcessInternalW,1368,C:\Program  Files\InternetExplorer\iexplore.exe,“C:\Program Files\Internet Explorer\iexplore.exe”-nohome    tree,0x0001171c,1324,C:\Program Files\InternetExplorer\iexplore.exe,1368   api,0x0001196e,1368,GetModuleHandle,iexplore.exe   api,0x0001197b,1368,LoadLibraryExW,SHELL32.dll=0x7c9c0000,NULL,0   registry,0x0001197d,1368,RegCreateKeyEx,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders   registry,0x0001197e,1368,RegCreateKeyEx,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders   registry,0x00011980,1368,RegSetValueEx,\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders,Desktop,C:\Documents and Settings\Administrator\Desktop   api,0x00011981,1368,IsDebuggerPresent   api,0x00011983,1368,LoadLibraryExW,SHELL32.DLL=0x7c9c0000,NULL,0   api,0x00011985,1368,LoadLibraryExW,ole32.dll=0x774e0000,NULL,0   api,0x00011989,1368,GetModuleHandle,iexplore.exe   process,0x0001198c,1368,OpenProcess,0x00000094,0x02000000,1508   api,0x0001198e,1368,GetModuleHandle,shell32.dll   api,0x0001199a,1368,LoadLibraryExW,BROWSEUI.dll=0x75f80000,NULL,0   registry,0x0001199b,1368,RegCreateKeyEx,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders   registry,0x0001199d,1368,RegCreateKeyEx,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders   registry,0x0001199e,1368,RegSetValueEx,\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders,Favorites,C:\Documents and Settings\Administrator\Favorites ...

Below is an example excerpt from a raw log file for monitored events ofa sample during the automated analysis of the sample, which is anexample excerpt of a raw event log.

   “registry”,“0x000110ab”,“1508”,“C:\WINDOWS\explorer.exe”,“SetValueKey”,“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\SessionInformation\ProgramCount”,“Value:1”,“Type:4”   “file”,“0x0001114c”,“908”,“C:\WINDOWS\system32\svchost.exe”,“Write”,“C:\WINDOWS\ Tasks\pan_test.job”   “registry”,“0x000116d1”,“1324”,“C:\Documents            andSettings\Administrator\explorer.exe”,“SetValueKey”,“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Personal”,“Value:C:\Documents and Settings\Administrator\MyDocuments”,“Type:1”   “registry”,“0x000116df”,“1324”,“C:\Documents            andSettings\Administrator\explorer.exe”,“SetValueKey”,“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5424727b-91a4-11e2-9388-806d6172696f}\BaseClass”,“Value:Drive”,“Type:1”   “registry”,“0x000116e0”,“1324”,“C:\Documents            andSettings\Administrator\explorer.exe”,“SetValueKey”,“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4bf5404a-da64-11e4-81dd-806d6172696f}\BaseClass”,“Value:Drive”,“Type:1”   “registry”,“0x000116e1”,“1324”,“C:\Documents            andSettings\Administator\explorer.exe”,“SetValueKey”,“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{54247278-91a4-11e2-9388-806d6172696f}\BaseClass”,“Value:Drive”,“Type:1”   “registry”,“0x000116e5”,“1324”,“C:\Documents            andSettings\Administrator\explorer.exe”,“SetValueKey”,“\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell                Folders\CommonDocuments”,“Value:C:\Documents and Settings\AllUsers\Documents”,“Type:1” ...

Below is an example of excerpts of an XML, report generated as an outputfrom the automated analysis of a sample.

<?xml version=“1.0”?> <report><version>3.0</version><platform>2</platform> <software>Windows XP, Adobe Reader 9.4.0, Flash10, Office 2007</software><sha256>0000003c2830d7850d4d75d30e2653857bac4fc4a4443d53152b6f9cfbe2992d</sha256><md5>a95b96adf9734ce6c2831304c94e3ff1</md5> <size>348053</size><malware>no</malware> <summary>   <entry score=“0.0” id=“2” details=“The Windows system folder contains   configuration files and executables that control the underlyingfunctions of the    system. Malware often modifies the contents of thisfolder to manipulate the system,    establish persistence, and avoiddetection.”>Created or modified a file in the Windows    systemfolder</entry>    <entry score=“0.0” id=“3” details=“Legitimate softwarecreates or modifies files to    preserve data across system restarts.Malware may create or modify files to deliver    malicious payloads ormaintain persistence on a system.”>Created or modified a    file</entry>   <entry score=“0.0” id=“13” details=“The Windows Registry houses system   configuration settings and options, including information aboutinstalled    applications, services, and drivers. Malware often modifiesregistry data to establish    persistence on the system and avoiddetection.”>Modified the Windows    Registry</entry>    <entryscore=“0.0” id=“2034” details=“When opening a process, the Windows API   returns a handle or reference to the target process. When duplicatingthe handle,    elevated permissions can be requested and a malicioussample may do this to    obfuscate its malicious behavior.”>Openedanother process permission to duplicate    handle</entry>    <entryscore=“0.0” id=“2031” details=“By opening another process with fullaccess a    malicious sample has full control over it and can performmalicious actions such as    reading its memory, injecting maliciouscode, or terminating it.”>Opened another    process with fullaccess</entry> </summary> <evidence>    <file/>    <registry/>   <process/>    <mutex/> </evidence> <timeline> <entry seq=“1”>CreatedProcess C:\Program Files\Internet Explorer\iexplore.exe</entry><entry seq=“2”>Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop to valueC:\Documents and Settings\Administrator\Desktop</entry><entry seq=“3”>Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites to valueC:\Documents and Settings\Administrator\Favorites</entry><entry seq=“4”>Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots to valueNULL</entry> <entry seq=“5”>Created mutex Shell.CMruPidlList</entry> ...</timeline> <network>    <UDP port=“123” ip=“23.99.222.162”country=“US”/>    <dns type=“NS” response=“a7-131.akadns.net”query=“akadns.net”/>    <dns type=“A” response=“23.99.222.162”query=“time.windows.com”/>    <dns type=“NS”response=“a3-129.akadns.net” query=“akadns.net”/> ... </network><process_tree>   <process text=“C:\Program Files\Internet Explorer\iexplore.exe” pid=“1368”   name=“iexplore.exe”/> </process_tree> <process_list>  <process pid=“1368” name=“iexplore.exe” command=“C:\Program Files\Internet  Explorer\iexplore.exe”><process_activity/>   <registry>  <Create subkey=“Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell  Folders” key=“HKEY_CURRENT_USER”/>   <Createsubkey=“Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders”   key=“HKEY_CURRENT_USER”/>   ...  <Set subkey=“Desktop” key=“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-  682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”  data=“C:\Documents and Settings\Administrator\Desktop”/>  <Set subkey=“Favorites” key=“\REGISTRY\USER\S-1-5-21-2052111302-1214440339-  682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”  data=“C:\Documents and Settings\Administrator\Favorites”/> </registry><file><Create  type=“N/A”  name=“C:\Documents  and  Settings\Administrator\LocalSettings\Temp\REG7.tmp” size=“N/A” sha256=“N/A” sha1=“N/A” md5=“N/A”/><Create  type=“N/A”  name=“C:\Documents  and  Settings\Administrator\LocalSettings\Temp\REG8.tmp” size=“N/A” sha256=“N/A” sha1=“N/A” md5=“N/A”/><Create type=“N/A” name=“\\?\C:\Documents and Settings\Administrator\ApplicationData\Macromedia\Flash  Player\macromedia.com\support\flashplayer\sys\settings.sxx”size=“N/A” sha256=“N/A” sha1=“N/A” md5=“N/A”/><Create  type=“unknown”  name=“C:\Documents and Settings\Administrator\LocalSettings\History\History.IE5\MSHist012016021820160219\index.dat”   size=“32768”sha256=“b2f2400a9250b715ffbcb6c349a166f8b39fd0ada1b27966cfcb4bfe752c2c83”sha1=“ffeb18ae08240996c0dae419a7890d723f3221e0”md5=“299fb4ed010194c5c1b0323c300887d6”/> ... <Delete type=“unknown”name=“\\?\C:\Documents and Settings\Administrator\ApplicationData\Macromedia\Flash  Player\macromedia.com\support\flashplayer\sys\settings.sol”size=“46”sha256=“90CB9360E98292B3670D4F43B6D95C3638C22639ADD54903C099C446781BC69F”               sha1=“1882a610e32eea87b5d36df1b37f9b092c24eed2”md5=“474B98DCC92FF3820AC89C4960288390”/> ... </file> <service/> <mutex><CreateMutex name=“Shell.CMruPidlList”/><CreateMutex name=“c:!documents and settings!administrator!local settings!temporaryinternet files!content.ie5!”/> ... </mutex> <java_api/> </process></process_list> </report>

Tag Processing

In an example implementation, elastic search percolation can be utilizedto determine if the sample document that is being added matches anyconfigured queries (e.g., tags, such as further described below) in thesystem. If it is, a list of tags is returned which are parsed into tagcategories (e.g., support_id (C#), tag_definition_id (T#), andtag_definitions search_id (S#)). The tag list can then be pushed intoMySQL DB 334 in a sample_tag table based on the sample's SHA. Inaddition, if the sample is public (is_public), an alert can be triggered(e.g., by calling a stored procedure AlertOnPublicSample). Samples thatare newly tagged or whose tags have been changed since the last timethey were added have their SHA stored in a sample_ready table in MySQLDB 334. The sample_ready table can be used by the session from thesample producer to produce all the sessions for that SHA.

For example, tagging data can also be added to ES for efficient queries.In an example implementation, to improve performance, the tag data canbe embedded as a standalone child document keyed by the sample's SHArather than as part of the sample document itself. This approachfacilitates efficient updating of the tags on a sample in ES withoutimpacting the larger document itself.

Session Data

In an example implementation, a session document is implemented as achild document of the sample document. The fields produced by thesession producer can be ingested as is and embedded in the taskdocument. Example session fields can include one or more of thefollowing: app, device.acctname, device.country, device.countrycode,device.industry, device.ip, device.lob, device.model, device.serial,device.support_id, device.swver, device.hostname, src.country,src.countrycode, src.ip, src.port, src.isprivateip, dst.country,dst.countrycode, dst.ip, dst.port, dst.isprivateip, emailrecipient,emailsender, emailsubject, emailsbjcharset, filename, sha256, tstamp,user_id, vsys, session_id, file_url, and isuploaded.

SHA Trackers

Documents that are children of others can upsert their parent in casethey do not exist. This can add an overhead impacting overallperformance. In an example case, the session document can be affected bythis potential scenario. In order to avoid unnecessarily upserting theparent document which may already exist while also not incurring theoverhead of querying ES, in an example implementation, each ES consumercan maintain a SHA tracker table of seen SHAs that are populated bysample/task and session consumers as shown in FIG. 3. If a sample's SHAis already in the SHA tracker table, then upserting the parent sampledocument can be skipped as an update, thus, improving performance of theoverall ingestion process and system. For example, a SHA tracker classcan be implemented to maintain two tables (e.g., each of a millionSHAs), each switching between the two when one is 100% of capacity. At athreshold of capacity (e.g., 75% of capacity or some other thresholdvalue), the secondary table can be populated so as not to maintain alist of the most recent SHAs. The overlap minimizes the upserting of theparent document for SHAs that have already been seen.

Generating an Enhanced View of Malware Analysis Results Using LineCounts

As similarly described above, the significant amount and complexinformation that is generated by the automated malware analysis presentsa technical challenge to identify and/or determine the maliciousactivity a malware is performing and/or to associate patterns orrelationships between malware samples and their features and/orbehaviors. Accordingly, techniques for performing line counting aredisclosed for generating an enhanced view of malware analysis resultsusing line counts as further described herein.

In one embodiment, the malware analysis platform generates an enhancedview of malware analysis results using line counts of distinct lines inlog files that are results of the automated malware analysis. Forexample, the malware analysis platform can perform the above-describedingestion and transformation to process a set of log files including(e.g., selected/important) malware analysis results activity (e.g., suchas static malware analysis results and/or dynamic malware analysisresults, which can include mutex usages, network activities, registrychanges, API calls, and/or various other selected/important malwareanalysis results activity).

For example, the disclosed line counting techniques can be performed toprovide a statistical view of the malware analysis results data (e.g.,across different enterprise networks of subscribers/customers to themalware analysis platform service, categories of customers/industries,etc.), such as including one or more of the following: (1) commonactions/attributes that have been observed at least a threshold numberof times in both benign and malware samples; (2) (malicious/suspicious)actions/attributes (e.g., suspicious artifacts) that have been observedat least a threshold number of times in malware samples and onlyobserved a relatively lower threshold number of times in benign samples;and (3) actions/attributes (e.g., highly-suspicious artifacts) that havebeen observed at least a threshold number of times in benign samples andonly observed a relatively lower threshold number of times in malwaresamples.

In one embodiment, a system/process/computer program product for amalware analysis platform for threat intelligence made actionableincludes generating a human readable format of malware analysis resultlog files (e.g., replacing numeric identifiers and removingnot-interesting parameters, such as described herein); determining afirst occurrence of each distinct line in each log file (e.g., andremoving duplicate lines within the log file); and counting how manytimes each distinct line is observed in malware samples as compared withbenign samples.

In one embodiment, the disclosed line counting techniques are similarlyapplied to generate sub-line counts, such as further described herein.For example, a subset of each line can be counted, such as to implementsub-line/attribute/parameter counting (e.g., based on a registry name,mutex, file name, and/or other attributes/parameters, rather than theentire/whole line).

In one embodiment, the disclosed line counting techniques are similarlyapplied to generate the line/sub-line counts for a specified date rangeand/or a specified set of samples, such as further described herein.

For example, the disclosed line counting techniques can be performed toidentify the suspicious and/or highly-suspicious lines/sub-lines in alog file for a given malware sample (e.g., by determining thelines/sub-lines in the log file that are associated with a high malwarecount and/or a low benign count, such as further described herein). Inthis example, the suspicious and/or highly-suspicious lines/sub-linescan then also be utilized to automatically generate a new signature fordetecting malware for that malware sample. In this example, thedisclosed line counting techniques can also be performed as avalidation/proofing system to test and validate the new signature andexamine the line count results.

Performing Data Ingestion of Malware Analysis Results to Generate and/orUpdate Line Counts Associated with Analyzed Malware Samples

FIG. 4 is a flow diagram for performing a data ingestion process for themalware analysis platform for threat intelligence to update line countsmade actionable in accordance with some embodiments. In variousembodiments, the process shown in FIG. 4 is performed by thearchitecture and systems as similarly described above with respect toFIGS. 1-3.

At 402, data ingestion to process and consume (e.g., transform)automated malware analysis results is performed. In one embodiment, thedata ingestion process is performed using techniques similarly describedabove with respect to FIG. 3. For example, the data ingestion processcan be configured to execute once per day or some other periodicsetting, and/or on demand.

At 404, line counts for the consumed automated malware analysis resultsare determined. In one embodiment, lines are generated based on adynamic malware analysis (e.g., dynamic analyzer(s)) and/or a staticmalware analysis (e.g., static analysis artifacts), performed by theautomated malware analysis system, such as similarly described above.For example, the performance of the data ingestion process can processany new and/or updated malware sample analysis results from theautomated malware analysis system to determine verdicts and/or verdictchanges for every line associated with a given sample (e.g., a line caninclude an observation that was identified during the static or dynamicmalware analysis, such as a call to a given API, a request for a givenURL, a call to a given library, and/or various otherinformation/observations, such as further described herein) to determineif the sample is malware, benign, or grayware (e.g., adware or anothertype of grayware).

At 406, line counts are updated based on the consumed automated malwareanalysis results. In an example implementation, the processing of anynew and/or updated malware sample analysis results from the automatedmalware analysis system can be implemented by performing a MapReduce(M/R) job(s) to update a table of verdict changes/updates in a Key Value(KV) database (e.g., an incremental table for updated line counts can bestored in HBase 330 to keep track of the key, such as a SHA value of thewhole line for compressed data storage for efficiency, old verdict, andnew verdict to facilitate incremental/update data based on malwaresample processing since a last time the M/R job was executed). In thisexample, a M/R job can then be performed to update the historic countsin the KV database (e.g., a historic table for line counts in HBase 330)based on the new/incremental data in the incremental table of verdictchanges/updates. As a result, the updated line counts are then stored inthe updated historic table for line counts in the KV database based onthe new line counts computed based on incremental data values from theincremental table to the historic table data for each line to updatetheir respective line counts (e.g., the line counts can increase ordecrease based on verdicts/verdict changes). In one embodiment, thedisclosed process can include detecting a newly executed malwareanalysis for a given malware sample and replacing one or more linesassociated with the results for that sample in the KV database (e.g.,remove existing lines and/or add new lines).

FIG. 5 is a functional diagram for ingestion and processing of resultsof automated analysis of malware samples to update line counts inaccordance with some embodiments. In various embodiments, the functionalcomponents and process shown in FIG. 5 can be implemented using thearchitecture and systems as similarly described above with respect toFIGS. 1-3.

Referring to FIG. 5, malware analysis results 502 (e.g., log filesgenerated by the automated malware analysis system) are ingested andtransformed to determine verdict changes at 504. In one embodiment, thedata ingestion and transformation process is performed using techniquessimilarly described above with respect to FIG. 3. For example, the dataingestion process can be configured to execute once per day or someother periodic setting, and/or on demand.

Line count results are stored in a line counts table 506. As similarlydescribed above, log files of malware analysis results can bede-duplicated to identify distinct lines and then parsed to determineline counts for the consumed automated malware analysis results. In oneembodiment, lines are generated based on a dynamic malware analysis(e.g., dynamic analyzer(s)) and/or a static malware analysis (e.g.,static analysis artifacts, which can be processed using a M/R job toupdate the KV database), performed by the automated malware analysissystem, such as similarly described above. For example, the performanceof the data ingestion process can process any new and/or updated malwaresample analysis results from the automated malware analysis system todetermine verdicts and/or verdict changes for every line associated witha given sample to determine if the sample is malware, benign, orgrayware (e.g., adware or another type of grayware).

At 508, line counts are updated in an updated line counts table 510. At512, the processing of any new and/or updated malware sample analysisresults from the automated malware analysis system can be implemented byperforming a MapReduce (M/R) job(s) to update a table of verdictchanges/updates in a Key Value (KV) database 526 (e.g., which can beimplemented using HBase 330 as shown in FIG. 3) using an incrementalline counts table 514 for updated line counts. In an exampleimplementation, the incremental line counts table includes key values,such as a SHA value of the whole line (e.g., for compressed data storagefor efficiency) and the incremental line count.

At 516, a historic line counts table 518 is updated based on theincremental line counts table for any lines with incremental valuechanges. In an example implementation, the historic line counts tablecan be used for maintaining historic line counts (e.g., based on a lasttime the M/R job was executed) and can include key values, such as a SHAvalue of the whole line (e.g., for compressed data storage forefficiency) and the historic line count. In this example, theabove-described M/R job can be performed to update the historic linecounts in the KV database (e.g., using the incremental line counts tableand the historic line counts table) based on the new/incremental data inthe incremental table of verdict changes/updates. As a result, theupdated line counts are then stored in the updated historic table forline counts in the KV database based on the new line counts computedbased on incremental data values from the incremental table to thehistoric table data for each line to update their respective line counts(e.g., the line counts can increase or decrease based onverdicts/verdict changes). In one embodiment, the disclosed process caninclude detecting a newly executed malware analysis for a given malwaresample and replacing one or more lines associated with the results forthat sample in the KV database (e.g., remove existing lines and/or addnew lines).

At 520, new verdicts are determined to update a KV database table 522for storing verdict changes 524 in KV database 526. In an exampleimplementation, the KV database table includes key values, such as a SHAvalue of the whole line (e.g., for compressed data storage forefficiency), an old verdict value (e.g., a line count value based on alast time the M/R job was executed), and a new verdict value (e.g., anew line count value based on the verdict changes (if any)) tofacilitate incremental/update data based on malware sample processingsince a last time the M/R job was executed.

As will now be apparent, the above-described techniques and process cansimilarly be performed for ingestion and processing of results ofautomated analysis of malware samples to update sub-line counts inaccordance with some embodiments as further described below.

Performing Sub-Line (Attribute/Parameter) Counts Associated withAnalyzed Malware Samples

In one embodiment, the above-described line counting techniques cansimilarly be applied to a subset of a line. For example, the disclosedline counting techniques can similarly be applied to a subset of a wholeline, such as for a given attribute and/or parameter in the line tofacilitate attribute and/or parameter counting (e.g., counts can bedetermined and maintained/updated for calls to a specific URL, API,library, etc. based on the ingestion/transforming and processing of theautomated malware analysis results). In this example, theabove-described techniques and process for line counting can besimilarly applied to sub-line/artifact counting, in which the input isdifferent (e.g., input is a selected sub-line/artifact, such as for DNSdata, the sub-line/artifact can be an FQDN, for file data, thesub-line/artifact can be a file name, and so forth). As such, theabove-described line counting techniques can be applied to both wholelines as well as to subsets of whole lines as similarly described above.

Performing Line Counts Associated with Analyzed Malware Samples PerCustomer or Other Categorizations of Customers

In one embodiment, the above-described line counting techniques cansimilarly be processed by customer or other categorizations of customers(e.g., subscribers of the cloud security service that submit malwaresamples for automated malware analysis and also subscribe to/utilize themalware analysis platform). For example, line/sub-line counts can alsobe computed based on customer identifier (e.g., a unique customerID/serial number(s) that can be associated with samples) or othercategorizations of customers (e.g., a categorization by industry, suchas government, defense contractors, banks, high tech, retail, etc.). Inan example implementation, performing line counts associated withanalyzed malware samples per customer can be implemented using theabove-described ingestion process as part of the in-take/consumerprocess and using a set of line/sub-line counting tables per customer,per industry, and/or other categorization(s) of customers (e.g., inwhich customers can be preclassified into a given category such thattheir malware samples can be associated with the given category, whichcan then be extracted and utilized during the ingestion process toimplement the above-described line/sub-line counting techniques to beprocessed by customers or other categorizations of customers).

In one embodiment, a tag (e.g., based on the version of analyzer(s) usedfor the automated malware analysis for the sample results beingprocessed) is associated with processed malware analysis results for agiven line based on the analysis of a given malware sample. For example,a search based on the tag can be performed and/or lines/counts based onthe tag can be subsequently removed if that analyzer/version is deemedto be no longer reliable/accurate and/or is replaced with a newversion/analyzer.

Interface for a Malware Analysis Platform for Threat Intelligence MadeActionable

In one embodiment, an interface is provided for users to interact withthe malware analysis platform for threat intelligence. For example, aportal/GUI interface can be provided for users to interact with themalware analysis platform for threat intelligence, such as furtherdescribed below. As another example, a programmatic/API interface can beprovided for users to interact with the malware analysis platform forthreat intelligence, such as further described below.

Samples

In one embodiment, for both the automated malware analysis system andthe malware analysis platform for threat intelligence made actionable, asample refers to a file (e.g., a PDF or PE file) or a link included inan email. As similarly described herein, a firewall can send samples(e.g., unknown samples) to the automated malware analysis system foranalysis. Different artifacts can then be determined to be associatedwith the sample as it is executed and observed in the sandboxenvironment performed by the automated malware analysis system assimilarly described above. As further described herein, the malwareanalysis platform for threat intelligence made actionable allows a userto search for other samples (e.g., submitted by the samecustomer/subscriber or other customers/subscribers) based on the sample(e.g., based on a hash value of the sample or artifacts associated withthe sample based on the processed results of the automated malwareanalysis for that sample). For example, when a user performs a search inthe malware analysis platform for threat intelligence, the searchconditions are compared against all historical and new samples as willbe further described below.

Artifacts

In one embodiment, an artifact is an item, property, activity, orbehavior shown to be associated with a sample through both the automatedmalware analysis of the sample and through the malware analysis platformstatistics. For example, types of artifacts can include file attributes,IP addresses, domains, URLs, applications, processes, hashes, and/oremail addresses. In the disclosed malware analysis platform for threatintelligence, artifacts are highlighted both on the dashboard and withinsearch results (e.g., search results spotlight significant artifactsthat are identified according to risk; and the dashboard and searcheditor both can allow a user to add an artifact directly to an ongoingsearch or to an export list, such as further described below).

Tags

In one embodiment, a tag can be defined based on a collection of searchcriteria that together indicate a known or possible threat. Bothhistorical and new samples that match to the conditions defined for atag are associated with that tag. A user can perform searches and createalerts based on tags, such as will be further described below.

In one embodiment, a tag class can be defined to associate a tag with aknown actor, targeted campaign, malware family, malicious behavior, oran exploit. For example, using the interface for the malware analysisplatform for threat intelligence made actionable as further describedbelow, users can search for tags based on the tag class and/or can alsosearch for tags that do not have a specified tag class.

Public Tags and Samples

In one embodiment, public tags and samples in the malware analysisplatform are tags and samples that are visible to all users of themalware analysis platform. For tags created by a given user, the usercan set the status to be public, so that the tag is visible to users ofthe malware analysis platform (e.g., and the user can also revert thetag to be private).

Private Tags and Samples

In one embodiment, private tags and samples in the malware analysisplatform are tags and samples that are visible only to users associatedwith the subscriber (e.g., with the same support account to the cloudsecurity service and service for the malware analysis platform). Privatetags and samples can be made public (e.g., with the option to revert thetag or sample back to a private status).

Suspicious Artifacts

In one embodiment, suspicious artifacts are artifacts that aredetermined to have been widely detected across large numbers of samplesand are most frequently detected with malware. Though the artifact isoften also detected with grayware and benign samples, it is relativelyless than the frequency with which it is found with malware. In anexample implementation, suspicious artifacts can be determined usingline counting techniques based on a line count calculation that theartifact (e.g., line or sub-line) is associated with malware samples atleast a threshold value more times than it is associated with benignsamples (e.g., a threshold value of three times, such as malware linecounts (m#)>3×benign line counts (b#), or some other threshold value orcalculation can be applied). Techniques for determining whetherartifacts are suspicious artifacts are further described below.

Highly Suspicious Artifacts

In one embodiment, highly suspicious artifacts are artifacts that aredetermined to have been detected in very few samples (e.g., a lack ofdistribution of these types of artifacts could indicate an attackcrafted to target a specific organization) and are most frequentlydetected with malware. In some cases, these artifacts have beenexclusively seen with malware, and not observed (or rarely observed)with grayware or benign samples. In an example implementation, highlysuspicious artifacts can also be determined using line countingtechniques based on a line count calculation that the artifact (e.g.,line or sub-line) is associated with malware samples at least athreshold value more times than it is associated with benign samples andis found in a threshold number of malware samples (e.g., a thresholdvalue of three times, such as m#>3×b#, and the artifact (e.g., line orsub-line) is associated with fewer than a threshold number of malwaresamples (e.g., m#<500 samples); or some other threshold values orcalculations can be applied). Techniques for determining whetherartifacts are highly suspicious artifacts are further described below.

Actor

In one embodiment, an actor is an individual or group that instigatesmalicious activity. In an example implementation of the malware analysisplatform, a user can perform a search for malware that is indicative ofa threat actor (e.g., using the interface to select search and searchingon the condition Tag Class>is>Actor). A user can also create a tag toindicate that samples matched to that tag are related to an actor.

Campaign

In one embodiment, a campaign is a targeted attack which might includeseveral incidents or sets of activities. In an example implementation ofthe malware analysis platform, a user can perform a search for malwarethat has been classified as belonging to a campaign (e.g., using theinterface to select search and searching on the condition TagClass>is>Campaign). A user can also create a tag to indicate thatsamples matched to that tag are part of a campaign.

Family

In one embodiment, malware is grouped into a malware family. Malwaremight be considered related based on shared properties or a commonfunction. In an example implementation of the malware analysis platform,a user can perform a search for malware that has been identified asbelonging to a malware family (e.g., using the interface to selectsearch and searching on the condition Tag Class>is>Malware Family). Auser can also create a tag to indicate that samples matched to that tagare part of a malware family.

Dashboard for a Malware Analysis Platform for Threat Intelligence MadeActionable

FIG. 6 is a screen shot of a dashboard of an interface for the malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments. In one embodiment, a portal interface for themalware analysis platform for threat intelligence made actionableincludes a dashboard as shown in FIG. 6. For example, the dashboard canpresent a visual landscape of network, industry, and global threatartifacts. A threat artifact can be a sample hash (e.g., identifying alink included in an email or a file, such as a Portable Document Format(PDF) or Portable Executable (PE)), a statistic, a file property, orbehavior that shows a correlation with malware.

In one embodiment, a user can set a context of the dashboard to displayactivity and artifacts for their organization only, or to instead viewdata at an industry or global level. A user can also expand or narrowthe time range of the data displayed to view threat activity for a broador limited time frame, respectively. In this example, the dashboardwidgets can be implemented to be interactive, such that the user canhover a cursor over an artifact to view artifact details or click anartifact to add it to a search.

In one embodiment, the dashboard is configured to visually weight asubscriber's network data alongside industry and global data, in orderto provide both a context for their network activity and a window intothreats targeting similar organizations. In one embodiment, thedashboard is configured to facilitate a focus on pervasive threatactivity and add top artifacts directly to the search editor. These andother aspects and features of the dashboard will be further describedbelow.

Referring to FIG. 6, in one embodiment, the dashboard provides access tomultiple accounts for the malware analysis platform for threatintelligence. As shown at 602, users (e.g., threat researchers or otherusers) can have access to multiple support accounts and can select asingle support account to view data from the devices associated withthat account.

In one embodiment, a user can select a dashboard tab, as shown at 604,to set the context for the data displayed: My Organization, My Industry,or All. In this example, threat data and activity is displayed on thedashboard widgets updates to reflect the context selected. The widgetsare interactive and can be used to drill down and investigate malware orevent details. Users can also hover over artifacts displayed on thedashboard to reveal additional details, or click on an artifact to addthe artifact to the search editor. The dashboard displays data for aperiod of time (e.g., a default period of time can be the last sevendays or another period of time). Also, the data displayed on thedashboard can be filtered by context (e.g., move between the tabs to setthe dashboard context, displaying the varying threat landscapes fornetwork, industry, or globally) and/or filtered by date (e.g., set thedashboard to display data for the last 7, 30, 90, 180 days, all time, oranother time period).

In one embodiment, a user can utilize a navigation pane, as shown at606, to navigate between features (e.g., including search, alerts, tags,and export list features that can be accessed by selecting therespective features in the navigation pane as shown) that allow the userto search global and historical threat data and to manage malware tagsand alerts (e.g., techniques for smart tagging and alerting of analyzedmalware sample results using the disclosed malware analysis platform forthreat intelligence made actionable is further described below). In thisexample, a search editor is provided that allows users to perform freeform searches using Boolean logic. For example, a user can set up asearch based on threat artifacts gathered from their enterprise networkenvironment, or from viewing industry or global data on the dashboard(e.g., to drill down on search results to find, for example, high-riskartifacts, including the number of times that artifacts, such as an IPaddress, have been detected with malware, benign, and grayware samples).As another example, a user can set up alerts based on tags, such asusing public tags and/or private tags to generate alerts when matched topublic and/or private samples (e.g., depending on alert settings,including prioritized alert notifications for certain types of tags,such as further described below). In an example implementation, a tag isa set of conditions compared against historical and new samples analyzedusing the malware analysis platform for threat intelligence. In thisexample, users can also publish tags in the malware analysis platformfor threat intelligence made actionable to identify and help usersdetect known threats (e.g., select tags in the navigation pane to viewprivate tags and public tags shared by other users). As yet anotherexample, a user can select the export list feature in the navigationpane to export artifacts, such as IP addresses, URLs, and domains to anexport data format (e.g., a CSV file or another file format). In thisexample, users can use the exported artifacts (e.g., CSV file) to importthe data to security information and event management (SIEM) tools or tosupport a firewall block list (e.g., a Palo Alto Networks firewallDynamic Block List or a firewall block list supported by anothercommercially available firewall solution). As also shown in thisexample, the settings feature can be selected to configure variousportal settings (e.g., preferred hash type used by default as the sampleor session identifier for search results: SHA-1, SHA-256, MD-5, oranother hash algorithm; share public tags anonymously; API key for APIaccess to the malware analysis platform, and/or other settings).

In one embodiment, the dashboard displays a malware download sessionshistogram (e.g., a graph or chart) as shown at 608. In this example, themalware download sessions histogram displays the malware sessions forsamples detected for the first time in the selected time range. Sessionswith known malware (e.g., malware that was first seen before theselected time range) are not reflected in this example. A user canadjust the histogram sliders to narrow or broaden the date range.Dashboard widgets are also filtered according to the time range that isselected.

In one embodiment, the dashboard includes dashboard widgets as shown at610. In this example, the dashboard widgets highlight the top tenartifacts depending on the context (e.g., organization, industry, orall) and time range selected, including the following: Top Applications(e.g., displays the ten most used applications); Top Malware (e.g.,displays the ten malware samples with the most hits); Top Firewalls(e.g., displays ten firewalls with the most sessions where malwaresamples were detected; a user can select the Organization tab on thedashboard to display the Top Firewalls in their network); and TargetIndustries (e.g., displays the ten industries with the highest counts ofmalware detected; a user can select the All tab on the dashboard todisplay target industries on a global scale). In an exampleimplementation, a user can also click a single bar in any widget todrill down on dashboard widgets. The artifact can be added to the searcheditor as a search condition, which allows the user to then search onthe artifact and/or to tag it (e.g., generate a tag based on theartifact and/or conditions associated with the artifact).

In one embodiment, the dashboard includes a map of source/destinationgeographies (e.g., countries) as shown at 612. In this example, thedashboard allows a user to view malware hot spots geographically. Theuser can select Source to display countries with high rates of malwaresessions originating from those countries, or select Destination todisplay countries with high rates of targeted attacks. Larger bubblescan be displayed on the map to indicate higher rates of activity asshown in this example. A user can also zoom in to more closely examinethe number of malware sessions by source or destination country.

In one embodiment, the dashboard includes a Top Tags chart as shown at614. In this example, a user can view the tags (e.g., smart tags)matched to the highest number of samples (e.g., including auser/subscriber's private tags, platform service provider alerting tagsthat are configured/defined by threat intelligence experts associatedwith the platform service provider—Palo Alto Networks in this example(shown as Unit 42 tags in this example), and public tags, which can beshown as distinguished based on the type of the tags—private, Unit 42,and/or public). As shown, the Top Tags list is sorted according to thenumber of samples matched to the tag in the date range selected on themalware sessions histogram (e.g., as shown at the top of the dashboard).For each tag, the list also displays the total number of samples thathave been matched to the tag and the date and time that the most recentmatching sample was detected. In an example implementation, a Top TagsWidget is provided such that a user can choose Tag Types to display theTop 20 private tags, Unit 42 alerting tags, Unit 42 informational tags,and/or public tags, and the user can select a tag to view tag details,including a description of the condition or set of conditions that thetag identifies, or to add the tag to a search.

In one embodiment, the dashboard includes an Alerts Log as shown at 616.In this example, a user can view the latest set of alerts (e.g., themost recent 20 alerts or some other number of recent alerts) on malwarematching enabled public, private, or Unit 42 tags. In an exampleimplementation, prioritized alerts can be configured to be automaticallypushed to subscribers/users (e.g., delivered through email or over HTTPto selected network/security admins for the subscribing customer).

In one embodiment, the dashboard includes a list of Recent Unit 42Research as shown at 618. In this example, a user can browse quick linksto the latest research, news, and resources from Unit 42, the threatintelligence experts associated with the platform service provider—PaloAlto Networks in this example.

Search on the Malware Analysis Platform for Threat Intelligence MadeActionable

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable includes a search feature (e.g., assimilarly described above with respect to FIG. 6). In an exampleimplementation, the search feature can facilitate searching of threatdata generated, maintained, and indexed by the malware analysis platformfor threat intelligence made actionable using various techniquesdescribed herein. For instance, the search feature can facilitatesearches of sample analysis results (e.g., including artifacts) anddrill down into the search results as further described below.

FIGS. 7A-7B are screen shots of a search editor of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In one embodiment, a portal interfacefor the malware analysis platform for threat intelligence madeactionable includes a search editor as shown in FIGS. 7A-7B.

In one embodiment, the platform includes a search editor to performcomplex searches, with conditions that allow users to narrow or broadenthe scope of a search. In this example, users can toggle their view ofsearch results to find: the samples matched to the selected searchconditions (e.g., using a Samples tab); the sessions during which thesamples were detected (e.g., using a Sessions tab); the top artifactsassociated with the returned samples (e.g., using a Statistics tab);and/or the passive DNS history and categorization of the results (e.g.,using a Domain, URL & IP Address Information tab). After performing asearch, users can drill down in sample results to find artifacts seenwith that sample. For each artifact associated with a sample, theplatform lists the number of times the artifact has been detected withbenign (#B), grayware (#G), and malware (#M) samples. Artifacts that areseen disproportionately with malware are indicated to be Suspicious orHighly Suspicious, such as using various techniques described herein fordetermining whether the samples are suspicious or highly suspicious.

Referring to FIG. 7A, a search function on the malware analysis platformfor threat intelligence made actionable is selected by clicking on theSearch function in a navigation pane as shown at 702. For example, userscan then add criteria in the search editor to begin a new search, use asaved search, and/or import a new search. As similarly described above,users can also click on an artifact highlighted on the dashboard, andthen the search editor displays with the artifact listed as a searchcondition.

As shown at 704, users can add one or more search conditions using thesearch editor that can be processed for generating search results basedon the one or more search conditions. For example, to create a searchcondition, a user can add the category for which the user wants tosearch and define the scope and value of the category. First, the usercan select a category from the drop-down menu to perform a search ofglobal threat data based on that category, such as the category shown as“verdict” in this example (e.g., categories can include hash value (MD5,SHA-256, etc.), verdict, and/or other categories). Second, the user canselect an operator for the search condition, such as the operator shownas “is” in this example (e.g., operators can include is, is not, is inthe list, is not in the list, has no value, has any value, and/or otheroperators). The operator determines the scope of search results; theuser can use the operator to limit or expand potential results, or toreturn exact match results. The operators available can vary dependingon the search category selected. Third, the user can enter or select avalue to define the search condition. Depending on the category andoperator selected, predefined values may be available to choose from, orusers may be requested to enter a unique value to perform the search. Asshown at 706, the user can select whether the search is performed withrespect to all samples, public samples, or the samples associated withthe user's account/entity (e.g., shown as My Samples in this example).

Referring to FIG. 7B, the search editor can also include a child queryto facilitate a search including a condition or a set of conditionsnested with and used to qualify a parent query. In this exampleimplementation, a child query, as shown at 712, is evaluated onlyagainst the parent query, as shown at 710, to which it is added. A usercan add a child query to return more granular search results, where theresults match to the parent query only when the child query is alsotrue. The example search illustrated in FIG. 7B shows a child queryadded to the Email Subject condition. Search results will be returnedfor samples where the following is true: (1) the sample was first seenbefore Mar. 13, 2015; and (2) the email subject for the sample filecontained the word test and received a WildFire verdict of eithermalware or grayware. In this example, users can also Move Up or MoveDown search conditions to move conditions to or from a child query.Depending on the placement of a condition, users can move it up or downto include it in a child query. Users can also move a condition up ordown to remove it from a child query so that it is no longer a nestedcondition—in this case, the condition is evaluated with all (or any)other search conditions, and is not evaluated against only the parentquery.

In one embodiment, searches can be saved. For example, users can savesearches that the users may be performing on a regular basis, or inorder to quickly recreate useful search settings.

FIG. 8 is a screen shot of a samples search view of a search editor ofan interface for the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments. In one embodiment,a tag can be created based on search conditions. As shown at 802, asample can be tagged to tag the sample as a threat indicator. Forexample, a Tag Results icon can be selected to generate a tag based onsearch conditions of a given set of search criteria entered or savedusing the search editor. In some cases, tags can be used to define a setof conditions that indicate an important network event or a possible orknown threat. For instance, this feature can be utilized by users to taga search so that any existing or future samples that match to the searchare efficiently and accurately tagged and can be automaticallyidentified and tracked using the malware analysis platform for threatintelligence. The tag can be saved with a name and a description.

As shown at 804, a sample can be shared as a public sample to share thesample with other security experts. In this example, a user can alsorevert a public tag created by the user's organization to private.

As shown at 806, a Network Sessions tab lists the sessions during whichthe sample was detected. The sessions displayed are all sessionssubmitted from firewalls to the malware analysis system as similarlydescribed above. A user can select a single session for session details(e.g., users can also navigate back to the File Analysis tab for thesample, or click on, for example, a Related Sessions tab—relatedsessions are sessions where samples with the same hash value, such asthe same SHA-256 hash value, were detected).

As shown at 808, a File Analysis tab lists properties, behaviors, andactivities observed for the sample during the automated analysisperformed by the malware analysis system, as similarly described above.For each activity artifact, the total number of times the artifact hasbeen found with benign (#B), grayware (#G), and (#M) malware samples islisted. High risk artifacts are highlighted as Suspicious or HighlySuspicious, and users can add these artifacts directly to an existingsearch or add them to an export list as shown at 810, as similarlydescribed herein.

In one embodiment, the search editor supports exporting a search. Forexample, a search can be exported in order to share the search betweensupport accounts or with another security expert.

In one embodiment, the search editor supports importing a search. Forexample, a search can be imported in order to import a search shared byanother security expert.

As an example, the search editor can be utilized to perform a searchusing the malware analysis platform for threat intelligence madeactionable to view samples matched to the selected search conditions(e.g., and can also be configured to search a specified scope ofsamples, such as Private/Subscriber Samples, Public Samples, and/or toAll Samples as similarly described herein). The Samples, Sessions,Statistics, and Domain, URL & IP Address Information tabs can then beselected to drill down in the search results different contexts, andallow you to drill down in to the results to find correlation amongartifacts, to narrow the search by adding artifacts to the search, andto add high-risk artifacts to the Export Artifacts feature, as similarlydescribed herein. Users can then assess the artifacts identified in thesearch results. Users can also export the artifacts identified in thesearch results, as similarly described herein.

FIG. 9 is a screen shot of a sessions search view of a search editor ofan interface for the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments. In one embodiment,the search editor includes a Sessions tab. For example, the Sessions tabcan display all sessions for all samples matched to the searchconditions. A user can select a single session to drill down for sessiondetails as shown in FIG. 9.

As shown at 902, session details include a Session Summary, from whichusers can add artifacts to a search using the search editor as similarlydescribed above.

As shown at 904, a File Analysis tab displays details for the samplethat was detected during the session.

As shown at 906, Sessions details also include a list of RelatedSessions, which are sessions where the same sample was detected.

FIG. 10 is a screen shot of a statistics search view of a search editorof an interface for the malware analysis platform for threatintelligence made actionable in accordance with some embodiments. In oneembodiment, the search editor includes a Statistics tab. For example,the Statistics tab can display all statistics for all samples matched tothe search conditions. A user can examine the statistics for all samplesmatched to the search conditions as shown in FIG. 10.

As shown at 1002, users can view statistics on artifacts associated withMy Samples, Public Samples, or All Samples.

As shown at 1004, users can click the Top Applications, Top Malware, TopFirewalls, or Target Industries widgets to add artifacts to theirsearch; the Statistics tab widgets are filtered based on the addedsearch condition. For example, users can click a web-browsing bar on theTop Applications widget. Web-browsing is added as a search condition andthe widgets, including the Source Countries malware map, are thenupdated to reflect the new web-browsing filter.

FIGS. 11A-11B are screen shots of a domain, URL, and IP addressinformation search view of a search editor of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In one embodiment, the search editorincludes a Statistics tab. In one embodiment, the search editor can beconfigured to view the domain, URL, and IP address information foundwith the samples matched to the search conditions.

Referring to FIG. 11A, users can select the Domain, URL & IP AddressInformation tab to view passive DNS history and an existingcategorization of the search results. As shown at 1102, users can set upa search (e.g., click/select a Target icon or the Domain, URL & IPAddress Information tab) that includes at least one of the followingconditions: URL, IP Address, or DNS Activity, such as by adding a searchcondition that DNS Activity contains zzux.com as shown in FIG. 11A.

Referring to FIG. 11B, users can review a categorization and passive DNShistory information found for samples matched to the search criteria. Asshown at 1110, PAN-DB is the Palo Alto Networks URL and IP database oranother commercially available URL and IP classification/categorizationthat is commercially or publicly available can be utilized. Users canthen review the web sites associated with URLs and the associatedcategory(ies).

As shown at 1112, users can review domain to IP address mappings foundfor samples that match their search condition(s).

Search Based on Observed Behavior

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable includes a search feature (e.g., assimilarly described above with respect to FIG. 6) that allows forsearches based on observed behavior. For example, users can utilize thesearch feature to find samples based on behaviors seen when the samplewas executed in the sandbox environment.

In an example implementation, users can search for samples that createdand modified files, started processes, spawned new processes, modifiedthe registry, and/or installed browser help objects (BHOs). The user canutilize the interface to select to initiate a search using the platform,select the search category of observed behavior, and then browse a listof possible behaviors to select one or more behaviors to search forsamples for which that behavior was seen when executed in the sandboxenvironment.

Share Links to Saved Searches

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable includes a search feature (e.g., assimilarly described above with respect to FIG. 6) that allows sharedlinks to saved searches. For example, users can select the searchfeature to open their saved searches, click a link icon to generate ashared link, and then copy the link to share it with other users (e.g.,other users of the malware analysis platform for threat intelligence).

Smart Tagging and Alerting Based on Artifacts Using the Malware AnalysisPlatform for Threat Intelligence Made Actionable

As similarly discussed above, network/security administrators (admins)are typically inundated with a significant number of, and often toomany, alerts and messages from the security devices and securityservices for their enterprise network(s). Moreover, such securitydevices and security services typically fail to provide relevant contextand prioritization for such alerts and messages to be effective and/orefficient to facilitate performing responsive action(s).

Thus, improved techniques for filtering and identifying relevant threatintelligence information are needed.

Accordingly, in one embodiment, tagging and alerting based on artifactsis provided using the malware analysis platform for threat intelligence.

For example, the above-described malware analysis platform can extractvarious static and behavioral artifacts, which can then be selected asartifacts to define tags based on a set of one or moreattributes/behaviors (and/or conditions based on one or moreattributes/behaviors) identified by the malware analysis platform duringanalysis of samples, as further described below. In this example, thesetags when created apply to the existing set of samples and are smartsuch that if any new sample is received by the malware analysis platformfor threat intelligence made actionable that exhibits the same set ofone or more attributes/behaviors, then the new sample is automaticallytagged and a notification can be communicated to the users thatconfigures an alert based on the tag. Further, this tagging and alertingcapability allows network/security admins to define specific artifactsthat they are interested in monitoring, such as domains, IP addresses,URLs, mutexes, and/or other attributes, so that when any event occurs intheir network that targets (e.g., matches) such artifacts, they can thenbe notified to allow them to effectively and efficiently performappropriate actions to mitigate the security threat.

In one embodiment, tags are applied as part of the intake processing fornewly processed samples/sessions by the malware analysis platform forthreat intelligence made actionable as similarly described above. In oneembodiment, a newly defined tag can be applied to (e.g., associatedwith) existing processed samples in a so-called lazy fashion asdescribed herein.

For example, a network/security admin user for ACME Corporation candefine a new tag and specify an alert based on the new tag using thedisclosed techniques. The user can then receive an alert if a samplefrom their enterprise network matches the tag. In this example, the newtag can be a new tag that the user configured using the malware analysisplatform for threat intelligence, or the tag can be an existing tagpreviously configured by the security vendor of the malware analysisplatform for threat intelligence made actionable or by another user ofthe malware analysis platform for threat intelligence.

In one embodiment, clustering techniques described below can be appliedto automatically generate tags (e.g., malware families can be associatedwith a smart tag). For example, a tag can be automatically generatedusing the disclosed attribute and/or clustering based analysistechniques as further described below.

In one embodiment, a tag can be a high priority tag. For example, if amalware sample is detected/received that matches a tag that is a highpriority tag (e.g., a tag that is associated with a serious threat canbe identified as a high profile tag, such as by the security vendor forthe malware analysis platform for threat intelligence), then an alertcan be sent to a network/security admin for ACME Corporation that theirnetwork is being targeted based on an alert that a malware samplematching the high profile tag was identified as having penetrated theirnetwork.

In one embodiment, a tag can be based on a set of one or moreattributes. In one embodiment, an attribute can be based on a lineand/or a sub-line (e.g., a subset of content extracted from a line) ofthe malware analysis results output from the malware analysis platformfor a sample, such as similarly described above. For example, a tag canbe based on a set of attributes (e.g., lines 1, 3, 7, and/or other linesor sub-lines). As another example, the tags can be generated based onthe below described automated/semi-supervised techniques forautomatically generating tags for the malware analysis platform forthreat intelligence.

These and other aspects associated with smart tagging and alerting basedon artifacts provided using the malware analysis platform for threatintelligence made actionable will now be further described below.

Alerts on the Malware Analysis Platform for Threat Intelligence MadeActionable

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable includes an alerts feature (e.g., assimilarly described above with respect to FIG. 6). For example,prioritized alerts allow users to quickly distinguish targeted, advancedattacks from commodity malware so that users can effectively andefficiently triage their network resources accordingly. As similarlydescribed herein, users can configure the malware analysis platform forthreat intelligence made actionable to set up alerts based on tag types(e.g., Unit 42 Alerting tags, public tags, or private tags).

In one embodiment, alerts can be configured to be communicated to usersover HTTP and/or email alerts (e.g., or other notification mechanisms)to receive such alerts as email notifications or to include alerts in aweb portal or a feed. In one embodiment, an Alerts Log on the dashboarddisplays alerts depending on the dashboard context, and users can alsoview the complete set of alerts by selecting Alerts on the navigationpane.

FIG. 12 is a screen shot of an alerts screen of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In one embodiment, alerts can beconfigured based on various notification criteria and/or tag type (e.g.,tags/smart tags are also further described below). For example, to setup alerts, users can define the type of alert they want to receive(e.g., the alert frequency and the notification destination), and thenenable the alert based on tag type, such as further described below.

Referring to FIG. 12, a user can define alerts (e.g., HTTP and emailalerts) by selecting Alerts on the navigation pane and then selectingSettings. Users can then define alert actions, as shown at 1204, thatusers can then select from to enable alerts based on tag types, as shownat 1202. In this example, defining alert actions includes setting up thealert as an HTTP or email alert and choosing to receive dailynotifications or notifications every five minutes. Users would onlyreceive notifications for samples matching to the alert criteria (e.g.,the tag) in the digest period that was selected; if no matching samplesare detected during the digest period, no notification is sent. Also, inthis example, there is a default alert action, shown as None, thatcannot be edited or deleted. This action can be useful if users do notwant to receive notifications for certain tags, or if users want tocreate an exception to notifications.

For example, users can enable HTTP and email alerts based on Tag Types.Users can choose for all samples matched to the tag type to generate analert, or narrow the alert criteria so that only private or publicsamples generate alerts. Additionally, the alerts feature can include anoption to create an alert exception that allows users the flexibility tospecify either prioritized alerts based on a specific tag, or to excludea specific tag from triggering an alert. Also, users can set the scopeof the alert (e.g., for each tag type, users can select My Samples to bealerted only when a firewall associated with the user's support accountis matched to the tag; users can select Public Samples to be alertedonly when public samples are matched to the tag; and users can selectboth My Samples and Public Samples to be alerted when any sample ismatched to the tag).

FIGS. 13A-C are screen shots of an alerts log screen of an interface forthe malware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In one embodiment, the dashboardprovides an Alerts Log screen. As shown, the Alerts Log on the dashboardlists alerts triggered within the selected dashboard date range,beginning with the most recent alerts. Also, the Alerts Log can displaya complete set of alert logs (e.g., users can select Alerts on thenavigation pane to view a complete set of alert logs).

Referring to FIG. 13A, users can drill down on alerts displayed on theAlerts Log screen. As shown at 1302, users can click on the SHA256 hashlink for a sample entry to add the sample to a search. As shown at 1304,users can select to sort the alerts based on time, tag type, SHA256 hashvalue, and/or tag.

Referring to FIG. 13B, users can hover over the tag on which the alertis based to view tag details, including the latest time and the totalnumber of times that traffic was matched to the tag, as shown at 1310.

In one embodiment, to search on the latest sample to trigger an alert,users can select the sample on the Alerts Log widget.

Referring to FIG. 13C, to review and/or search on the conditions thattriggered an alert, users can select a tag on the Alerts Log widget toview tag details. In this example, tag details can include a descriptionof the tag and a list of the conditions defined for the tag. From thetag details, users can open a search based on the tag or a singlecondition defined for the tag. As shown at 1320, users can add the tagto the search editor, to search for all historical and global samplesmatched to the tag. As shown at 1322, users can add a single conditiondefined for the tag to the search editor, to search for all historicaland global samples matched to that single condition.

Smart Tagging and Alerting of Analyzed Malware Sample Results Using theMalware Analysis Platform for Threat Intelligence

As similarly discussed above, the significant amount and complexinformation that is generated by various security systems and servicespresents a technical challenge to network/security admins. For example,network/security admins are typically inundated with a significant andoften overwhelming number of alerts and messages from the securitydevices and services. Moreover, such alerts and messages from thesecurity devices and services typically lack prioritization and relevantcontext to facilitate efficient processing and to facilitate performingappropriate actions based on certain alerts and messages.

Accordingly, techniques for smart tagging and alerting of analyzedmalware sample results using the malware analysis platform for threatintelligence are disclosed. In one embodiment, the malware analysisplatform for threat intelligence made actionable includes a capabilityto extract and uniquely name an artifact(s) (e.g., sets of behaviors orother attributes) associated with malware (e.g., or grayware), which arereferred to herein as tags (e.g., smart tags), such as further describedbelow. For example, these tags when created can apply to existing setsof samples and can be viewed as smart in the way that if any new sampleis analyzed and the malware analysis results are processed by theplatform, and the platform determines that the new sample exhibits thesame artifact(s), then the new sample is automatically tagged and analert can be triggered (e.g., based on a configuration of alertparameters associated with the tag, such as further described below).

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable includes a tagging feature assimilarly described above. For example, the interface for the malwareanalysis platform for threat intelligence made actionable allows usersto tag a set of conditions. As similarly discussed above, users can thensearch and alert based on the defined tag. In an example implementation,historical and future samples can be automatically matched by theplatform to the conditions defined for a tag (e.g., conditions based onone or more artifacts). Historical samples matched to the tag can alsobe searched to provide context and insight into surrounding events. Inaddition, new samples matched to the tag can be processed by theplatform to automatically generate an alert (e.g., a prioritized alert)to allow users to perform appropriate and timely action(s) to remediatethe security threat.

As an example, a new tag can be created by tagging a sample (e.g., thehash for the sample can be tagged, such as similarly described herein).As another example, a set of search conditions can be tagged. In anexample implementation, when a tag is created, the past and incomingsamples matched to the search conditions are tagged by the malwareanalysis platform for threat intelligence made actionable using thedisclosed techniques; and sample details display the tags to which thesample is matched. Also, users can then perform a search using thesearch editor and/or receive alerts based on the new tag.

As an example, assume that a bank, ACME Bank, is a customer of themalware analysis platform for threat intelligence made actionable. ACMEBank can utilize the platform to configure tags and alerts to facilitatetheir network/security admins based on specific artifacts that are ofinterest to the network/security admins for ACME Bank. Examples ofartifacts that can be defined to configure such tags and alerts based onthe tags can include domain names, IP addresses, URLs, and/or variousother artifacts as similarly described herein. In this example, assumethat a new sample was detected on the ACME Bank enterprise network andwas sent for cloud security malware analysis using the automated malwareanalysis and the sample analysis result (e.g., log file) was thenprocessed by the malware analysis platform for threat intelligence assimilarly described above. If the malware analysis platform for threatintelligence determines that the sample is associated with (e.g.,targets) any of these artifacts based on the processing of the sampleanalysis result (e.g., log file), then the sample is automaticallytagged by the platform, and an alert can be generated (e.g., thenetwork/security admins for ACME Bank can be notified based on aprioritized alert notification that includes relevant contextualinformation based on the tag that is defined based on the one or moreartifacts, which facilitates remedial/corrective actions to be timelyperformed using the platform and/or other security devices/services,such as further described herein).

In one embodiment, a dashboard for the platform is provided thatdisplays threat intelligence information based on the tags, such assimilarly described above with respect to FIG. 6 (e.g., My Tags, Unit 42Tags, and/or Public Tags as similarly described above). For example, thedashboard for the malware analysis platform for threat intelligence madeactionable can allow users to find the tags with the most sample hitsduring a set time range (e.g., top tags (My Tags, Unit 42 Tags, and/orPublic Tags) detected during a date range). As another example, thedashboard for the platform allows users to view the tags with thehighest total number of matching samples (e.g., top tags (My Tags, Unit42 Tags, and/or Public Tags) found with search results). Various otherdashboards/displays and/or search results can similarly be generatedbased on tags and/or alerts using the platform.

FIG. 14 is a screen shot of a tag detail screen of an interface for themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In one embodiment, the interface forthe malware analysis platform for threat intelligence made actionableallows users to select (e.g., click on) a tag to view detailedinformation associated with the tag displayed on a tag detail screen asshown in FIG. 14. For example, users can select any tag to revealdetails about that tag, including the set of conditions that is matchedto traffic, the last time that set of conditions was detected, and thetotal number of samples matched to the tag.

As shown at 1402, to open a search based on the tag, users can selectthe Search icon. As shown at 1404, users can edit private tag details.In this example, for private tags, users can edit tag details, includingthe scope of the tag to be private, public, or anonymously public. Asshown at 1406, users can select a delete/trash icon to permanentlydelete a previously generated tag (e.g., based on user access controls,such as for tags that were previously created by that user or theenterprise account associated with that user). For example, deleted tagscan show a Tag Status of removing after being deleted until the deletionis complete (e.g., when the deletion is complete, the tag status candisplay as disabled).

As shown at 1408, users can share a tag with security experts by makingthe tag Public (e.g., to share the tag with other network/security adminusers of the platform and/or the security service provider associatedwith the platform). Also, as similarly described above, users can alsorevert a tag previously made public back to a private tag. For example,tags can be shared anonymously, or the organization can be identified asthe owner of the tag if the user does not want to share the taganonymously.

As shown at 1410, users can Vote for, Comment on, and Report tags. Forexample, users can vote up for helpful tags and down-vote tags that theybelieve are misleading or are too general to be meaningful. As anotherexample, users can comment on tags, such as to provide feedback on tagsor share additional, relevant information with the threatintelligence/security community users of the platform. As yet anotherexample, users can report tags that are offensive or reveal sensitiveinformation. In this example, private tags would not show these options,as such options would only be applicable to publicly accessible/sharedtags.

As shown at 1412, users can search based on a single tag condition ordelete a single tag condition. For example, a user can select the Searchicon in the Actions column, to the right of the condition for which theuser wants to open a search (e.g., this option can be used to addconditions from an existing tag to the search editor, modify theconditions, and/or create a new tag).

Artifacts of Analyzed Malware Sample Results

In one embodiment, the interface for the malware analysis platform forthreat intelligence made actionable identifies artifacts that areextracted from and/or determined to be associated with analyzed samples(e.g., attributes, such as behaviors, features, and/or other artifacts,as similarly described above). In an example implementation, the malwareanalysis platform includes an automated analysis of malware samples(e.g., the WildFire™ cloud security service provided by Palo AltoNetworks, Inc., or another malware analysis platform/service) thatclassifies previously unknown samples as either malware, grayware, orbenign, so that a firewall can be configured to then block or enforcethe newly-identified malware or grayware according to a security policy(e.g., an enterprise security policy or other security policy). As alsosimilarly described above, when the automated analysis of malwaresamples observes and executes a sample in the sandbox environment duringa dynamic analysis phase and/or determines attributes during a staticanalysis phase, the malware analysis platform can process the results toautomatically identify artifacts of the analyzed malware sample results(e.g., file properties and/or behaviors including observed behavior,process activity, connection activity, service activity, and/or otherbehaviors/activities, such as registry activity, file activity, otherAPI activity, mutex activity, DNS activity, and/or static analysisincluding suspicious file properties and/or other static analysisproperties) that can be accessed, analyzed, and/or made actionableutilizing the interface or the malware analysis platform for threatintelligence made actionable as will now be further described below withrespect to FIGS. 15A-D.

FIGS. 15A-D are screen shots of an interface for viewing and/orperforming actions based on artifacts utilizing the malware analysisplatform for threat intelligence made actionable in accordance with someembodiments. In one embodiment, the malware analysis platform for threatintelligence made actionable (e.g., AutoFocus cloud security serviceprovided by Palo Alto Networks, Inc., or another malware analysisplatform/service for threat intelligence) provides a new lens throughwhich to view, analyze, and perform actions based on the artifactscollected by the malware analysis platform.

In one embodiment, the malware analysis platform for threat intelligencemade actionable includes various analysis and statistics for theartifacts. In an example implementation, layers statistics overartifacts found to be associated with a sample can be provided to showthe number of times a given artifact has been determined/detected withother malware, grayware, or benign samples using various techniquesdescribed herein. For example, high-risk artifacts that are frequentlyobserved with malware can be determined to be Suspicious or HighlySuspicious using various techniques described herein.

In one embodiment, the high-risk artifacts can be determined, viewed,analyzed, and acted upon using the disclosed platform and techniques. Inan example implementation, the malware analysis platform for threatintelligence made actionable identifies high-risk artifacts included infile analysis details for a sample. In this example, an interface of themalware analysis platform for threat intelligence made actionable caninclude a File Analysis tab that groups similar artifacts into AnalysisCategories for easy reference, such as similarly described herein. Assimilarly described above, a user can utilize the interface to addhigh-risk artifacts to a search, or use them to generate an export listfor configuring a network/security device (e.g., a firewall or anothernetwork/security device) to perform actions (e.g., block, alert, orother actions) based on the high-risk artifacts using various techniquesdescribed herein.

Referring to FIG. 15A, a user can utilize the interface of the platformto perform a search as shown at 1502 (e.g., utilizing the Search Editorto set up a search as similarly described above) and select a samplefrom the search results as shown at 1504 to see the File Analysisdetails for that sample. As shown at 1506, a File Analysis tab for asample can display high-risk artifacts and the number of times theartifact was observed with malware, grayware, or benign samples (e.g.,as shown, dynamic analysis categories of artifacts include observedbehavior, process activity, connection activity, and service activity).

Referring to FIG. 15B, a user can utilize the interface of the platformto select a category of the artifacts, such as the Process Activitycategory as shown to view file analysis artifacts associated with thatcategory. As shown at 1510, for every artifact listed, the number oftimes the artifact has been detected with malware (#M), grayware (#G),and benign (#B) samples is displayed in a table formatted display outputby the interface of the platform. In this example, high risk artifactsare indicated with icons to designate them as Highly Suspicious orSuspicious as shown (e.g., a filled triangle symbol with an exclamationmark shown for Highly Suspicious and an exclamation mark shown forSuspicious).

Referring to FIG. 15C, a user can utilize the interface of the platformto select artifacts that match to their search conditions (e.g., even ifthey are not high-risk), highlighted in the search results. In thisexample, a search is performed for artifacts that include DNS activitythat contains nearly-gaze.ru, ns1.r01.ru, NS as shown at 1520. Theresults are highlighted in the DNS activity category that match theseexample search conditions as shown at 1522.

Referring to FIG. 15D, a user can utilize the interface of the platformto select artifacts (e.g., high-risk artifacts) to add the selectedartifacts to a search or an export list to perform an action based onthe selected artifacts (e.g., to search, export, and drill down on fileanalysis artifacts). As shown at 1530, a user can add artifacts found onthe File Analysis tab for a sample as similarly described above to theirexisting search and/or to an export list. Domains, URLs, and IPaddresses also allow users to view passive DNS history and variouscategorization information for the artifact.

Processes for the Malware Analysis Platform for Threat Intelligence MadeActionable

FIG. 16 is a flow diagram for a process performed using the malwareanalysis platform for threat intelligence made actionable in accordancewith some embodiments. In various embodiments, the process shown in FIG.16 is performed by the platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1-3.

At 1602, a plurality of samples is received for performing automatedmalware analysis to generate log files based on the automated malwareanalysis. For example, the automated malware analysis can includedynamic and/or static analysis as similarly described above.

At 1604, processing the log files is performed to determine artifactsassociated with malware. For example, if the artifact is determined tobe associated with malware based on the automated malware analysis, thenthe artifact can be deemed a high-risk artifact as similarly describedabove.

At 1606, an action is performed based on an artifact. For example, theartifact(s) can be imported to security information and event management(SIEM) tools or to support a firewall block list to perform securityenforcement on an enterprise network as similarly described above.

FIG. 17 is another flow diagram for a process performed using themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In various embodiments, the processshown in FIG. 17 is performed by the platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1-3.

At 1702, a plurality of samples is received for performing automatedmalware analysis to generate log files based on the automated malwareanalysis. For example, the automated malware analysis can includedynamic and/or static analysis as similarly described above.

At 1704, processing the log files is performed to determine artifactsassociated with malware. For example, a log file for a sample comprisesone or more lines based on the automated malware analysis results forthe sample as similarly described above.

At 1706, identifying distinct lines in the processed log files isperformed. For example, duplicate lines in the log file can bede-duplicated to generate a processed log file that includes onlydistinct lines as similarly described above.

At 1708, updating a line count for each of the distinct lines based online counting performed for previously processed log files is performed.For example, line counts can be utilized to generate statistics andanalysis for the malware sample results that can be presented in adashboard and facilitate user access and analysis of the malware sampleresults and statistics overlay as similarly described above. As anotherexample, line counts can be processed to determine whether any of thedistinct lines can be correlated with malware (e.g., and not likelyassociated with benign samples), which can be utilized to identifyhigh-risk artifacts as similarly described above.

At 1708, updating a line count for each of the distinct lines based online counting performed for previously processed log files is performed.For example, a line/sub-line can be updated as similarly describedabove.

At 1710, an action is performed based on a high-risk artifact. Forexample, the artifact(s) can be imported to security information andevent management (SIEM) tools or to support a firewall block list toperform security enforcement on an enterprise network as similarlydescribed above.

FIG. 18 is another flow diagram for a process performed using themalware analysis platform for threat intelligence made actionable inaccordance with some embodiments. In various embodiments, the processshown in FIG. 18 is performed by the platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1-3.

At 1802, a plurality of samples is received for performing automatedmalware analysis to generate log files based on the automated malwareanalysis. For example, the automated malware analysis can includedynamic and/or static analysis as similarly described above.

At 1804, processing the log files is performed to determine artifactsassociated with malware. For example, a log file for a sample comprisesone or more lines based on the automated malware analysis results forthe sample.

At 1806, identifying distinct lines in the processed log files isperformed. For example, duplicate lines in the log file can bede-duplicated to generate a log file that includes only distinct linesas similarly described above.

At 1808, determining whether any of the distinct lines are suspicious isperformed. For example, if a line/sub-line is determined to beassociated with malware, then such can be deemed a high-risk artifactand can be made actionable as similarly described above.

At 1810, an action is performed based on a high-risk artifact. Forexample, the artifact(s) can be imported to security information andevent management (SIEM) tools or to support a firewall block list toperform security enforcement on an enterprise network as similarlydescribed above.

Processes for Tagging and Alerting Using the Malware Analysis Platformfor Threat Intelligence Made Actionable

FIG. 19 is a flow diagram for a tagging and alerting process performedusing the malware analysis platform for threat intelligence madeactionable in accordance with some embodiments. In various embodiments,the process shown in FIG. 19 is performed by the platform and techniquesas similarly described above including the embodiments described abovewith respect to FIGS. 1-3.

At 1902, a plurality of samples is received for performing automatedmalware analysis to generate log files based on the automated malwareanalysis. For example, the automated malware analysis can includedynamic and/or static analysis as similarly described above.

At 1904, processing the log files is performed to extract artifactsassociated with the log files. For example, a log file for a samplecomprises one or more lines based on the automated malware analysisresults for the sample as similarly described above.

At 1906, determining whether a tag matches any of the plurality ofsamples based on the artifacts is performed. As an example, a new tagcan be created by tagging a sample (e.g., the hash for the sample can betagged, such as similarly described herein). As another example, a setof search conditions can be tagged.

At 1908, an action is performed based on whether a tag matches any ofthe plurality of samples. For example, an alert can be triggered basedon whether a tag matches any of the plurality of samples as similarlydescribed above.

FIG. 20 is another flow diagram for a tagging and alerting processperformed using the malware analysis platform for threat intelligencemade actionable in accordance with some embodiments. In variousembodiments, the process shown in FIG. 20 is performed by the platformand techniques as similarly described above including the embodimentsdescribed above with respect to FIGS. 1-3.

At 2002, a plurality of samples is received for performing automatedmalware analysis to generate log files based on the automated malwareanalysis. For example, the automated malware analysis can includedynamic and/or static analysis as similarly described above.

At 2004, processing the log files is performed to extract artifactsassociated with the log files. For example, a log file for a samplecomprises one or more lines based on the automated malware analysisresults for the sample as similarly described above.

At 2006, a tag is configured based on a plurality of conditionsassociated with one or more artifacts. For example, a set of searchconditions can be tagged as similarly described above.

At 2008, determining whether the tag matches any of the plurality ofsamples based on the plurality of conditions associated with one or moreartifacts is performed. For example, the platform can determine such tagmatches for new and historical samples as similarly described above.

At 2010, an alert is generated based on the determination that the tagmatches at least one of the plurality of samples. For example, aprioritized alert can be generated as similarly described above.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A computer-implemented method, comprising:receiving a plurality of samples for performing automated malwareanalysis to generate log files based on the automated malware analysis;processing the log files to extract artifacts associated with the logfiles; receiving a configuration to enable an alert action based on atag type for matching any of the plurality of samples, wherein the tagtype is configured for the alert action for a tag based on a pluralityof conditions associated with one or more artifacts, wherein the alertaction is configured to match private samples and public samples, andwherein the alert action is configured as a prioritized alert based onthe tag; determining whether the tag matches any of the plurality ofsamples based on the plurality of conditions associated with one or moreartifacts; and performing an action based on whether the tag matches anyof the plurality of samples including to trigger the alert action basedon the determination that the tag matches a sample detected on amonitored enterprise network, wherein the sample is a public sample andthe monitored enterprise network is associated with another subscriber'senterprise network.
 2. The method of claim 1, wherein an extractedartifact is a high-risk artifact, and wherein the high-risk artifact isdetermined to be associated with malware based on the automated malwareanalysis.
 3. The method of claim 1, wherein performing automated malwareanalysis includes performing a dynamic analysis.
 4. The method of claim1, wherein performing automated malware analysis includes performing astatic analysis.
 5. The method of claim 1, wherein a log file for asample comprises one or more lines based on results of the automatedmalware analysis for the sample.
 6. The method of claim 1, furthercomprising: generating another alert based on the determination that thetag matches a sample detected on a second monitored enterprise network,wherein the sample is a private sample and the second monitoredenterprise network is associated with the subscriber's enterprisenetwork.
 7. A system, comprising: a processor configured to: receive aplurality of samples for performing automated malware analysis togenerate log files based on the automated malware analysis; process thelog files to extract artifacts associated with the log files; receive aconfiguration to enable an alert action based on a tag type for matchingany of the plurality of samples, wherein the tag type is configured forthe alert action for a tag based on a plurality of conditions associatedwith one or more artifacts, wherein the alert action is configured tomatch private samples and public samples, and wherein the alert actionis configured as a prioritized alert based on the tag; determine whetherthe tag matches any of the plurality of samples based on the pluralityof conditions associated with one or more artifacts; and perform anaction based on whether the tag matches any of the plurality of samplesincluding to trigger the alert action based on the determination thatthe tag matches a sample detected on a first monitored enterprisenetwork, wherein the sample is a public sample and the first monitoredenterprise network is associated with another subscriber's enterprisenetwork; and a memory coupled to the processor and configured to providethe processor with instructions.
 8. The system recited in claim 7,wherein an extracted artifact is a high-risk artifact, and wherein thehigh-risk artifact is determined to be associated with malware based onthe automated malware analysis.
 9. The system recited in claim 7,wherein performing automated malware analysis includes performing adynamic analysis.
 10. The system recited in claim 7, wherein performingautomated malware analysis includes performing a static analysis. 11.The system recited in claim 7, wherein a log file for a sample comprisesone or more lines based on results of the automated malware analysis forthe sample.
 12. The system recited in claim 7, wherein the processor isfurther configured to: generate another alert based on determining thatthe tag matches a sample detected on a second monitored enterprisenetwork, wherein the sample is a private sample and the second monitoredenterprise network is associated with the subscriber's enterprisenetwork.
 13. The system recited in claim 7, wherein the processor isfurther configured to: determine whether the tag matches any of theplurality of samples based on the plurality of conditions associatedwith one or more artifacts.
 14. A computer program product, the computerprogram product being embodied in a non-transitory tangible computerreadable storage medium and comprising computer instructions for:receiving a plurality of samples for performing automated malwareanalysis to generate log files based on the automated malware analysis;processing the log files to extract artifacts associated with the logfiles; receiving a configuration to enable an alert action based on atag type for matching any of the plurality of samples, wherein the tagtype is configured for the alert action for a tag based on a pluralityof conditions associated with one or more artifacts, wherein the alertaction is configured to match private samples and public samples, andwherein the alert action is configured as a prioritized alert based onthe tag; determining whether the tag matches any of the plurality ofsamples based on the plurality of conditions associated with one or moreartifacts; and performing an action based on whether the tag matches anyof the plurality of samples including to trigger the alert action basedon the determination that the tag matches a sample detected on amonitored enterprise network, wherein the sample is a public sample andthe monitored enterprise network is associated with another subscriber'senterprise network.
 15. The computer program product recited in claim14, wherein an extracted artifact is a high-risk artifact.
 16. Thecomputer program product recited in claim 14, wherein the artifact is ahigh-risk artifact, and wherein the high-risk artifact is determined tobe associated with malware based on the automated malware analysis. 17.The computer program product recited in claim 14, wherein performingautomated malware analysis includes performing a dynamic analysis. 18.The computer program product recited in claim 14, wherein performingautomated malware analysis includes performing a static analysis. 19.The computer program product recited in claim 14, wherein a log file fora sample comprises one or more lines based on results of the automatedmalware analysis for the sample.
 20. The computer program productrecited in claim 14, and further comprising computer instructions for:generating another alert based on the determination that the tag matchesa sample detected on a second monitored enterprise network, wherein thesample is a private sample and the second monitored enterprise networkis associated with the subscriber's enterprise network.